Been looking at rep scores for IPs as part of a triage and came across this situation and was wondering how others approach it. I saw a whole bunch of new outbound activity from a bunch of windows endpoints (all used a common resolver and yes, post patch Tuesday). Based on the passive DNS observation, at one point its windows update. At another, its serving possible malware or even involved in outbound scans. I guess the issue is that a CDN is going to recycle IPs between customers and one day its benign and another, not so much ?
Do people bother with looking at IP rep databases as part of an overall score to identify further avenues of investigation, or is it mostly a path not worth looking at because things change so much at CDNs ?