Query Details
Device Visualize RDP Clients
Query
//Visualize the different RDP clients, such as rMemoteNG or RoyalTS being used in your environment //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceNetworkEvents | where TimeGenerated > ago(7d) | where ActionType == "ConnectionSuccess" | where RemotePort == "3389" //Exclude Defender for Identity which uses RDP traffic to map your network | where InitiatingProcessFileName != "Microsoft.Tri.Sensor.exe" | summarize ['RDP Client Count']=count()by InitiatingProcessFileName | where isnotempty(InitiatingProcessFileName) | sort by ['RDP Client Count'] desc | render barchart //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType == "ConnectionSuccess" | where RemotePort == "3389" //Exclude Defender for Identity which uses RDP traffic to map your network | where InitiatingProcessFileName != "Microsoft.Tri.Sensor.exe" | summarize ['RDP Client Count']=count()by InitiatingProcessFileName | where isnotempty(InitiatingProcessFileName) | sort by ['RDP Client Count'] desc | render barchart
Explanation
This query is used to visualize the different Remote Desktop Protocol (RDP) clients being used in your environment. It retrieves data from the DeviceNetworkEvents table in the M365 Defender or Advanced Hunting data connector. It filters the data to include only successful RDP connections on port 3389 and excludes the Defender for Identity process. It then summarizes the count of RDP clients used by the InitiatingProcessFileName and sorts them in descending order. Finally, it renders the results in a bar chart.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,ActionType,ConnectionSuccess,RemotePort,InitiatingProcessFileName,RDPClientCount,renderbarchart
Operators
whereago==!=summarizecountbyisnotemptysortrender