Managed Sentinel – Alert 045

Alert IDMS-A045
Alert NameHigh Number of Connections on specific opened ports
DescriptionThis alert is triggered if high number of connections are observed on ports tcp/1433, tcp/3389 etc.
Customer to provide a list of monitored ports, based on specifics to each environment.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Persistance
Defense Evasion
Exfiltration
Log sourcesFirewalls
False PositiveUnknown
RecommendationsDepending on what ports/application, volume of data transferred, number of sessions the action can be different from case to case. It is recommended, if anything suspicious is seen to perform a scan of the source machine. Also an investigation is recommended in Sentinel based on the source machine name, IP, username.

If this relates to a DMZ machine (inbound Internet allow traffic), correct the firewall rules to limit access to specific applications/ports.