Query Details
Device Detect RDP Recon
Query
//Search for devices connecting to multiple IP addresses via RDP witin a time window and alert when over a particular threshold //Data connector required for this query - M365 Defender - Device* tables let timerange=1d; let window=20m; let threshold=5; DeviceNetworkEvents | where TimeGenerated > ago(timerange) | where ActionType == "ConnectionSuccess" | where RemotePort == "3389" // Exclude Defender for Identity which uses RDP to map your network | where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" | summarize ['Target Device List']=make_set(RemoteIP), ['Count of Devices']=dcount(RemoteIP) by bin(TimeGenerated, window), DeviceName | where ['Count of Devices'] > threshold | sort by ['Count of Devices'] desc
Explanation
This query searches for devices that connect to multiple IP addresses using Remote Desktop Protocol (RDP) within a specified time window. It will alert when the number of devices exceeds a certain threshold. The query excludes a specific process called "Microsoft.Tri.Sensor.exe" which is used by Defender for Identity. The results are summarized by the time window and device name, and sorted in descending order based on the count of devices.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User,IPAddresses,RDP,TimeWindow,Threshold
Operators
wherelettimerangewindowthresholdDeviceNetworkEventsagoActionTypeRemotePortInitiatingProcessFileNamesummarizemake_setdcountbinDeviceNamesort by