Managed Sentinel – Alert 149

Alert IDMS-A149
Alert NameFirewall external average attack detection rate increase
DescriptionThis will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100
References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html
Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
Severity LevelLow
Threat IndicatorReconnaissance
MITRE ATT&CK TacticsDiscovery
Log sourcesFirewall
False PositiveExternal sanctioned pentest
Recommendations1. Engage your ISP to block upstream the originator IP address(es)
2. Add attacker IP addresses in perimeter firewall blacklisted IPs (block inbound)
3. Use Azure Sentinel to query and report all access from subject IP addresses to other internal DMZ resources