Managed Sentinel – Alert 045
|Alert Name||High Number of Connections on specific opened ports|
|Description||This alert is triggered if high number of connections are observed on ports tcp/1433, tcp/3389 etc. |
Customer to provide a list of monitored ports, based on specifics to each environment.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Initial Access|
|Recommendations||Depending on what ports/application, volume of data transferred, number of sessions the action can be different from case to case. It is recommended, if anything suspicious is seen to perform a scan of the source machine. Also an investigation is recommended in Sentinel based on the source machine name, IP, username.|
If this relates to a DMZ machine (inbound Internet allow traffic), correct the firewall rules to limit access to specific applications/ports.