KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Localto Public RDP

Query

//Detect allowed RDP connections from private to public networks

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemotePort == "3389"
| where LocalIPType == "Private" and RemoteIPType == "Public"
| project
    TimeGenerated,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    LocalIP,
    RemoteIP,
    RemoteUrl

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemotePort == "3389"
| where LocalIPType == "Private" and RemoteIPType == "Public"
| project
    Timestamp,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    LocalIP,
    RemoteIP,
    RemoteUrl

Explanation

This query is used to detect successful Remote Desktop Protocol (RDP) connections from private networks to public networks. It requires the M365 Defender - Device* tables data connector for Microsoft Sentinel query, and the Advanced Hunting license data connector for the Advanced Hunting query. The query filters for events where the ActionType is "ConnectionSuccess", the RemotePort is "3389", the LocalIPType is "Private", and the RemoteIPType is "Public". It then projects the TimeGenerated (or Timestamp), DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, LocalIP, RemoteIP, and RemoteUrl fields.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,ActionType,ConnectionSuccess,RemotePort,LocalIPType,RemoteIPType,TimeGenerated,DeviceName,InitiatingProcessAccountName,InitiatingProcessCommandLine,LocalIP,RemoteIP,RemoteUrl,Timestamp

Operators

| where==andorproject

Actions