Managed Sentinel – Alert 034
| Alert ID | MS-A034 |
| Alert Name | Excessive Outbound Firewall Allows (Cisco ASA Firewall) |
| Description | This is an outlier type of alert which presents the abnormal spikes in outbound traffic leaving the company network towards an untrusted zone. |
| Severity Level | Medium |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Persistence Discovery Collection |
| Log sources | Firewall Traffic Logs |
| False Positives | Asset Inventory Application scanners Vulnerability scans (if organization is not blocking outbound traffic in perimeter firewall) |
| Recommendations | 1. Review configuration of the internal machine(s) that is/are generating this traffic. 2. Run a EDR scan on the internal host 3. If applicable, quarantine or disconnect the machine from the internal network 4. Review perimeter firewall logs for indicators of large data transferred from internal machine to internet destinations (data leakage) |