Query Details
Devices No RDP
Query
//Find devices that have had no inbound RDP connections in the last 30 days to help build firewall policy //Microsoft Sentinel query let devices= DeviceNetworkEvents | where TimeGenerated > ago (30d) | where ActionType == "InboundConnectionAccepted" | where LocalPort == 3389 | distinct DeviceId; DeviceInfo | where TimeGenerated > ago (30d) | distinct DeviceId, DeviceName | where DeviceId !in (devices) //Advanced Hunting query let devices= DeviceNetworkEvents | where Timestamp > ago (30d) | where ActionType == "InboundConnectionAccepted" | where LocalPort == 3389 | distinct DeviceId; DeviceInfo | where Timestamp > ago (30d) | distinct DeviceId, DeviceName | where DeviceId !in (devices)
Explanation
This query is looking for devices that have not had any inbound Remote Desktop Protocol (RDP) connections in the last 30 days. It is used to help build a firewall policy. The query first identifies devices that have had inbound RDP connections in the last 30 days and stores them in a variable called "devices". Then, it retrieves device information for devices that have had activity in the last 30 days and are not in the "devices" variable.
Details
Matt Zorich
Released: November 2, 2022
Tables
DeviceNetworkEventsDeviceInfo
Keywords
Devices,Intune,User
Operators
letwhereago==distinct|in