Managed Sentinel – Alert 035

Alert IDMS-A035
Alert NameExcessive Outbound Firewall Denies
DescriptionThis is an outlier type of alert, which will alert when an excessive number of denies firewall requests going out towards an untrusted zone.
Severity LevelHigh
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsPersistence
Log sourcesFirewall Traffic Logs
False PositivesAsset Inventory Application scanners
Vulnerability scans
RecommendationsReview configuration of the internal machine that is generating this traffic. This is a indicator of a compromised machine initiating an attack towards other internal or external hosts.

Quarantine internal machine.