Managed Sentinel – Alert 031
|Alert Name||Excessive inbound firewall allows (Cisco ASA)|
|Description||This alert indicates an outlier in the number of firewall inbound connections. This may indicate a sustained attack against the firewall or the resources accessible through the firewall.|
|Threat Indicator||Improper Usage|
|MITRE ATT&CK Tactics||Execution|
|Log sources||Firewall Traffic Logs|
|Recommendations||1. Review affected DMZ system, and identify if this spike in traffic is normal. |
2. Correlate the spike in utilization with any infrastructure changes that may justify an increase in traffic utilization.
3. If no correlation exists, investigate if all traffic is coming from the same untrusted source IP.
4. Block untrusted IP in your perimeter firewall or at ISP level