Okay, I'm not at work so I can't pull the "obvious internal ips" straight off out of my head, but if you generate a list of internal IPs, then everything not on the list is external.
Create a lookup table, and for any event, pull the ips, do a lookup on each. If not found, then alert. (First just yourself, while developing, to find what you've forgotten. After you've got it reasonably clean, then you can alert more broadly.