Managed Sentinel – Alert 055
| Alert ID | MS-A055 |
| Alert Name | Internal hosts matching 3 or more distinct IPS signatures within an hour |
| Description | This alert is an indicator that an internal host has been compromised and attempting to attack other hosts or communicating with a command and control server |
| Severity Level | Medium |
| Threat Indicator | Compromised host |
| MITRE ATT&CK Tactics | Persistence Lateral Movement Command and Control |
| Log sources | IPS |
| Recommendations | 1. Perform an investigation in Azure Sentinel and understand if any other alerts relates to the internal host 2. If required, isolate internal host from corporate network 3. Perform a full EDR scan on the affected internal host 4. If malicious content was detected on the host, perform a full reimage of the machine |