Managed Sentinel – Alert 045
| Alert ID | MS-A045 |
| Alert Name | High Number of Connections on specific opened ports |
| Description | This alert is triggered if high number of connections are observed on ports tcp/1433, tcp/3389 etc. Customer to provide a list of monitored ports, based on specifics to each environment. |
| Severity Level | Medium |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Initial Access Persistance Defense Evasion Exfiltration |
| Log sources | Firewalls |
| False Positive | Unknown |
| Recommendations | Depending on what ports/application, volume of data transferred, number of sessions the action can be different from case to case. It is recommended, if anything suspicious is seen to perform a scan of the source machine. Also an investigation is recommended in Sentinel based on the source machine name, IP, username. If this relates to a DMZ machine (inbound Internet allow traffic), correct the firewall rules to limit access to specific applications/ports. |