Managed Sentinel – Alert 010
| Alert ID | MS-A010 |
| Alert Name | FTP/SFTP from Internal hosts to foreign countries |
| Description | This alert triggers when an internal host is performing a ftp/sftp/ssh to an external server(s) located outside of the local geo defined by the customer. Recommended foreign countries: China, Iran, North Korea, etc. |
| Severity Level | Low |
| Threat Indicator | Data leakage |
| MITRE ATT&CK Tactics | Execution Lateral Movement Exfiltration |
| Log sources | Firewalls |
| False Positive | N/A |
| Recommendations | 1. Investigate in Sentinel the source host initiating these type of outbound connections. Under standard if any other suspicious traffic has happened from the source host/user 2. Block this specific outbound traffic in perimeter firewall 3. if malicious host and/or data leakage was determined, immediately disconnect the impacted host and perform a full EDR scan of the machine 4. Collect evidence for future investigations. |