Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
Detects RDP and SSH connections from the Internet. This type of connections should be performed through a VPN tunnel. Exceptions can be added for approved applications.
MITRE ATT&CK Tactics
1. Apply firewall rules to block inbound traffic to specific management ports.
2. Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network.