Managed Sentinel – Alert 034

Alert IDMS-A034
Alert NameExcessive Outbound Firewall Allows
DescriptionThis is an outlier type of alert which presents the abnormal spikes in outbound traffic leaving the company network towards an untrusted zone.
Severity LevelMedium
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsPersistence
Discovery
Collection
Log sourcesFirewall Traffic Logs
False PositivesAsset Inventory Application scanners
Vulnerability scans
(if organization is not blocking outbound traffic in perimeter firewall)
RecommendationsReview configuration of the internal machine(s) that is/are generating this traffic. This is can be a indicator of a compromised machine initiating data transfer towards other internal or external hosts.

Quarantine internal machine.