Managed Sentinel – Alert 105
| Alert ID | MS-A105 |
| Alert Name | Sustained connection(s) from an internal host for more than x hours through firewall |
| Description | This alert triggers whenever they is sustained connections from or towards an internal host for more than X hours. Customer to provide the time limit for alert creation. |
| Severity Level | Low |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Persistence Exfiltration |
| Log sources | Firewalls |
| False Positive | Sanctioned Cloud applications |
| Recommendations | Investigate in Sentinel the internal IP address that has the long session opened for a long time. Identify any lateral movements from this IP address in your organization. |