Managed Sentinel – Alert 010

Alert IDMS-A010
Alert NameFTP/SFTP from Internal hosts to foreign countries
DescriptionThis alert triggers when an internal host is performing a ftp/sftp/ssh to an external server(s) located outside of the local geo defined by the customer. Recommended foreign countries: China, Iran, North Korea, etc.
Severity LevelLow
Threat IndicatorData leakage
MITRE ATT&CK TacticsExecution
Lateral Movement
Exfiltration
Log sourcesFirewalls
False PositiveN/A
Recommendations1. Investigate in Sentinel the source host initiating these type of outbound connections. Under standard if any other suspicious traffic has happened from the source host/user
2. Block this specific outbound traffic in perimeter firewall
3. if malicious host and/or data leakage was determined, immediately disconnect the impacted host and perform a full EDR scan of the machine
4. Collect evidence for future investigations.