Managed Sentinel – Alert 031

Alert IDMS-A031
Alert NameExcessive inbound firewall allows (Cisco ASA)
DescriptionThis alert indicates an outlier in the number of firewall inbound connections. This may indicate a sustained attack against the firewall or the resources accessible through the firewall.
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsExecution
Log sourcesFirewall Traffic Logs
Recommendations1. Review affected DMZ system, and identify if this spike in traffic is normal.
2. Correlate the spike in utilization with any infrastructure changes that may justify an increase in traffic utilization.
3. If no correlation exists, investigate if all traffic is coming from the same untrusted source IP.
4. Block untrusted IP in your perimeter firewall or at ISP level