Managed Sentinel – Alert 114
| Alert ID | MS-A114 |
| Alert Name | Connections to unsanctioned SMTP servers |
| Description | This alert identifies internal hosts accessing unsanctioned SMTP servers. Internal hosts should only use the SMTP relay servers configured for internal use. |
| Severity Level | Low |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Command and Control Exfiltration |
| Log sources | Firewalls |
| False Positive | Personal devices used in the corporate network |
| Recommendations | 1. Block SMTP traffic to non-sanctioned mail gateways in perimeter firewall 2. Review the internal device which used SMTP traffic 3. Notify user and the improper traffic and ask to review corporate AUP policies |