This detection rule identifies potentially malicious VNC (Virtual Network Computing) traffic coming from the Internet, which can be exploited by attackers for unauthorized remote access to systems. VNC is useful for system administrators for remote maintenance, but exposing it to the Internet is risky as it serves as a common vector for cyber threats. The rule is structured to monitor network traffic on specific TCP ports (5800-5810) while filtering out traffic from trusted internal IP ranges. Alerts generated through this rule can indicate unauthorized access attempts, prompting further investigation to determine if any threats are present. False positives may occur from legitimate VNC usage within internal networks, particularly among engineers or automated systems. Triage involves verifying source and destination IPs and analyzing trends in network traffic to ascertain any indicators of compromise. If suspicious activity is confirmed, rapid response measures should be initiated to isolate affected systems and remediate vulnerabilities, while preventing future exposures.