Managed Sentinel – Alert 048

Alert IDMS-A048
Alert NameInbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
DescriptionNormally any management traffic must be completed within the internal network, or via remote VPN. This alert searches for specific inbound management traffic such as RDP and SSH through perimeter firewall.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsDefense Evasion
Collection
Log sourcesFirewalls
False PositiveUnknown
RecommendationsApply firewall rules to block inbound traffic to specific management ports.
Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network.