Managed Sentinel – Alert 105

Alert IDMS-A105
Alert NameSustained connection(s) from an internal host for more than x hours through firewall
DescriptionThis alert triggers whenever they is sustained connections from or towards an internal host for more than X hours.

Customer to provide the time limit for alert creation.
Severity LevelLow
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsPersistence
Log sourcesFirewalls
False PositiveSanctioned Cloud applications
RecommendationsInvestigate in Sentinel the internal IP address that has the long session opened for a long time. Identify any lateral movements from this IP address in your organization.