Microsoft Defender Alert for Suspicious Network Traffic from Specific IP Address

Dear Microsoft Support Team,

I am seeking assistance regarding a security alert generated by Microsoft Defender on my internet-facing SFTP server. The alert pertains to suspicious network traffic originating from a specific IP address. Despite reviewing the available logs and utilizing our SIEM system, I have been unable to gather detailed information about this activity.

Details:

• Alert Type: Suspicious network traffic detected by Microsoft Defender
• Server Role: Internet-facing SFTP server
• Observations:
  • Multiple unauthorized SSH connection attempts from various IP addresses
  • Defender flagged only the specified IP address for suspicious activity
  • Limited information available in both Defender and our SIEM system regarding this alert

I would appreciate your assistance in understanding the following:

1. Reason for Alert Specificity: Why did Microsoft Defender flag only this particular IP address among the numerous unauthorized connection attempts from multiple malicious IPs?
2. Recommended Actions: What steps should I take to further investigate and mitigate potential threats from this IP address?

Your guidance will be instrumental in enhancing the security of our SFTP server and ensuring appropriate measures are implemented to address potential threats.

Thank you for your support.