Managed Sentinel – Alert 048

Alert IDMS-A048
Alert NameInbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
DescriptionDetects RDP and SSH connections from the Internet. This type of connections should be performed through a VPN tunnel. Exceptions can be added for approved applications.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsDefense Evasion
Collection
Log sourcesFirewalls
False PositiveUnknown
Recommendations1. Apply firewall rules to block inbound traffic to specific management ports.
2. Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network.