Managed Sentinel – Alert 104

Alert IDMS-A104
Alert NameAnomalous allow connections from internal hosts
DescriptionThis alert identifies internal hosts with an unusual amount of outbound allowed connections. This may indicate a data exfiltration or an otherwise compromised host
Severity LevelLow
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsDiscovery
Log sourcesFirewall Traffic Logs
False PositivesAsset Inventory Application scanners
Vulnerability scans
(if organization is not blocking outbound traffic in perimeter firewall)
Recommendations1. Review configuration of the internal machine(s) that is/are generating this traffic.
2. Run a EDR scan on the internal host
3. If applicable, quarantine or disconnect the machine from the internal network
4. Review perimeter firewall logs for indicators of large data transferred from internal machine to internet destinations (data leakage)