Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
Normally any management traffic must be completed within the internal network, or via remote VPN. This alert searches for specific inbound management traffic such as RDP and SSH through perimeter firewall.
MITRE ATT&CK Tactics
Apply firewall rules to block inbound traffic to specific management ports.
Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network.