Managed Sentinel – Alert 055

Alert IDMS-A055
Alert NameInternal hosts matching 3 or more distinct IPS signatures within an hour
DescriptionThis alert is an indicator that an internal host has been compromised and attempting to attack other hosts or communicating with a command and control server
Severity LevelMedium
Threat IndicatorCompromised host
MITRE ATT&CK TacticsPersistence
Lateral Movement
Command and Control
Log sourcesIPS
Recommendations1. Perform an investigation in Azure Sentinel and understand if any other alerts relates to the internal host
2. If required, isolate internal host from corporate network
3. Perform a full EDR scan on the affected internal host
4. If malicious content was detected on the host, perform a full reimage of the machine