Managed Sentinel – Alert 048
| Alert ID | MS-A048 |
| Alert Name | Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones) |
| Description | Detects RDP and SSH connections from the Internet. This type of connections should be performed through a VPN tunnel. Exceptions can be added for approved applications. |
| Severity Level | Medium |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Defense Evasion Collection |
| Log sources | Firewalls |
| False Positive | Unknown |
| Recommendations | 1. Apply firewall rules to block inbound traffic to specific management ports. 2. Deploy a jumpbox to consolidate all management flows together, and allow traffic only from this specific host towards internal network. |