Managed Sentinel – Alert 208

Alert IDMS-A208
Alert NameInternal hosts using POP3 or IMAP email clients
DescriptionThis alert identifies internal hosts using IMAP/POP3 email accounts. Users should not be allowed to use unsanctioned email clients.
Severity LevelLow
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsExfiltration
Command and Control
Log sourcesFirewalls
False PositivePersonal managed devices used in the corporate network
Recommendations1. Block this specific application in perimeter firewall (applicable to NGFW)
2. Notify user about improper use of technologies, based on organization AUP standard
3. Perform a AV/AM scan of the user machine (applicable to corporate managed systems).