KQL Search

//Visualizes potentially anomalous RDP connections from your devices.

//Data connector required for this query - M365 Defender - Device* tables

//Starttime and timeframe = how many days of data to look at to build your data set and in what grouping, i.e 30 days of data over 2 hour periods.
//Threshold = the amount of total RDP connections required to be included in anomaly calculations. Reduces noise from low level anomalies, e.g going from 1 connection to 2.
//Sensitivity = adjust to make the query more or less sensitive, the higher the value, the greater the anomaly required to be detected.
let starttime = 30d;
let timeframe = 2h;
let sensitivity = 3;
let threshold = 5;
let outlierdevices=
    DeviceNetworkEvents
    | where TimeGenerated > ago(starttime)
    | where LocalIPType == "Private"
    | where RemotePort == "3389"
    // Exclude Defender for Identity which uses RDP to map your network
    | where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe"
    | project TimeGenerated, DeviceName
    | order by TimeGenerated
    | summarize RDPEvents=count()by DeviceName, bin(TimeGenerated, timeframe)
    | where RDPEvents > threshold
    | summarize EventCount=make_list(RDPEvents), TimeGenerated=make_list(TimeGenerated) by DeviceName
    | extend outliers=series_decompose_anomalies(EventCount, sensitivity)
    | mv-expand TimeGenerated, EventCount, outliers
    | where outliers == 1
//Optionally visualize the anomalies, remove everything below this line to just retrieve the data
    | distinct DeviceName;
DeviceNetworkEvents
| where TimeGenerated > ago(starttime)
| where DeviceName in (outlierdevices)
| where LocalIPType == "Private"
| where RemotePort == "3389"
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe"
| summarize RDPCount=count() by DeviceName, bin(TimeGenerated, timeframe)
| render timechart