Managed Sentinel – Alert 054

Alert IDMS-A054
Alert NameHigh severity IPS Signatures from sources originating from internal network
DescriptionThis is an indicator that an internal host has been compromised that is trying to a Command & Control site
Severity LevelHigh
Threat IndicatorCompromised host
MITRE ATT&CK TacticsExecution
Exfiltration
Command and Control
Log sourcesIPS
Recommendations1. Perform an investigation in Azure Sentinel and understand if any other alerts relates to the internal host
2. Isolate impacted internal host from corporate network
3. Perform a full EDR scan on the affected internal host
4. If malicious content was detected on the host, perform a full OS re-image the machine