Managed Sentinel – Alert 105
|Alert Name||Sustained connection(s) from an internal host for more than x hours through firewall|
|Description||This alert triggers whenever they is sustained connections from or towards an internal host for more than X hours.|
Customer to provide the time limit for alert creation.
|Threat Indicator||Improper Usage|
|MITRE ATT&CK Tactics||Persistence |
|False Positive||Sanctioned Cloud applications|
|Recommendations||Investigate in Sentinel the internal IP address that has the long session opened for a long time. Identify any lateral movements from this IP address in your organization.|