Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
167 questions
Microsoft Defender Alert for Suspicious Network Traffic from Specific IP Address
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 70%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Anju Achamma John
5
Reputation points
Dear Microsoft Support Team,
I am seeking assistance regarding a security alert generated by Microsoft Defender on my internet-facing SFTP server. The alert pertains to suspicious network traffic originating from a specific IP address. Despite reviewing the available logs and utilizing our SIEM system, I have been unable to gather detailed information about this activity. Details:
- Alert Type: Suspicious network traffic detected by Microsoft Defender
Server Role: Internet-facing SFTP server
Observations:
Multiple unauthorized SSH connection attempts from various IP addresses
Defender flagged only the specified IP address for suspicious activity
Limited information available in both Defender and our SIEM system regarding this alert
I would appreciate your assistance in understanding the following:
Reason for Alert Specificity: Why did Microsoft Defender flag only this particular IP address among the numerous unauthorized connection attempts from multiple malicious IPs?
Recommended Actions: What steps should I take to further investigate and mitigate potential threats from this IP address?
Your guidance will be instrumental in enhancing the security of our SFTP server and ensuring appropriate measures are implemented to address potential threats.
Thank you for your support.Dear Microsoft Support Team,
I am seeking assistance regarding a security alert generated by Microsoft Defender on my internet-facing SFTP server. The alert pertains to suspicious network traffic originating from a specific IP address. Despite reviewing the available logs and utilizing our SIEM system, I have been unable to gather detailed information about this activity.
Details:
Alert Type: Suspicious network traffic detected by Microsoft Defender
Server Role: Internet-facing SFTP server
Observations:
Multiple unauthorized SSH connection attempts from various IP addresses
Defender flagged only the specified IP address for suspicious activity
Limited information available in both Defender and our SIEM system regarding this alert
I would appreciate your assistance in understanding the following:
Reason for Alert Specificity: Why did Microsoft Defender flag only this particular IP address among the numerous unauthorized connection attempts from multiple malicious IPs?
Recommended Actions: What steps should I take to further investigate and mitigate potential threats from this IP address?
Your guidance will be instrumental in enhancing the security of our SFTP server and ensuring appropriate measures are implemented to address potential threats.
Thank you for your support.
Sign in to answer