Managed Sentinel – Alert 048
|Alert Name||Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)|
|Description||Detects RDP and SSH connections from the Internet. This type of connections should be performed through a VPN tunnel. Exceptions can be added for approved applications.|
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Defense Evasion|
|Recommendations||1. Apply firewall rules to block inbound traffic to specific management ports.|
2. Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network.