Managed Sentinel – Alert 149
| Alert ID | MS-A149 |
| Alert Name | Firewall external average attack detection rate increase |
| Description | This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100 References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html |
| Severity Level | Low |
| Threat Indicator | Reconnaissance |
| MITRE ATT&CK Tactics | Discovery |
| Log sources | Firewall |
| False Positive | External sanctioned pentest |
| Recommendations | 1. Engage your ISP to block upstream the originator IP address(es) 2. Add attacker IP addresses in perimeter firewall blacklisted IPs (block inbound) 3. Use Azure Sentinel to query and report all access from subject IP addresses to other internal DMZ resources |