This alert triggers when an internal host is performing a ftp/sftp/ssh to an external server(s) located outside of the local geo defined by the customer. Recommended foreign countries: China, Iran, North Korea, etc.
MITRE ATT&CK Tactics
1. Investigate in Sentinel the source host initiating these type of outbound connections. Under standard if any other suspicious traffic has happened from the source host/user
2. Block this specific outbound traffic in perimeter firewall
3. if malicious host and/or data leakage was determined, immediately disconnect the impacted host and perform a full EDR scan of the machine
4. Collect evidence for future investigations.