Managed Sentinel – Alert 114

Alert IDMS-A114
Alert NameConnections to unsanctioned SMTP servers
DescriptionThis alert identifies internal hosts accessing unsanctioned SMTP servers. Internal hosts should only use the SMTP relay servers configured for internal use.
Severity LevelLow
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsCommand and Control
Exfiltration
Log sourcesFirewalls
False PositivePersonal devices used in the corporate network
Recommendations1. Block SMTP traffic to non-sanctioned mail gateways in perimeter firewall
2. Review the internal device which used SMTP traffic
3. Notify user and the improper traffic and ask to review corporate AUP policies