KQL Search

Query Details

HomeAI ToolsDevice Query

New RDP Connections

Query

# Detect new RDP connections to devices that have not been established in the past 20 days
----
### Defender For Endpoint

```
let PreviousRDPConnections = materialize (
     DeviceNetworkEvents
     | where Timestamp > ago(20d)
     | where ActionType == "ConnectionSuccess"
     | where not(InitiatingProcessFileName == "Microsoft.Tri.Sensor.exe") 
// DFI Sensor
     | where RemotePort == 3389
     );
PreviousRDPConnections
| where Timestamp > ago(2d)
| join kind=leftanti (PreviousRDPConnections
     | where Timestamp > ago(1d))
     on DeviceName, InitiatingProcessAccountName
| project
     Timestamp,
     DeviceName,
     InitiatingProcessAccountDomain,
     InitiatingProcessAccountName,
     InitiatingProcessCommandLine,
     RemoteUrl,
     RemoteIP
| sort by Timestamp
```
### Sentinel
```
let PreviousRDPConnections = materialize (
     DeviceNetworkEvents
     | where TimeGenerated > ago(20d)
     | where ActionType == "ConnectionSuccess"
     | where not(InitiatingProcessFileName == "Microsoft.Tri.Sensor.exe") 
// DFI Sensor
     | where RemotePort == 3389
     );
PreviousRDPConnections
| where TimeGenerated > ago(2d)
| join kind=leftanti (PreviousRDPConnections
     | where TimeGenerated > ago(1d))
     on DeviceName, InitiatingProcessAccountName
| project
     TimeGenerated,
     DeviceName,
     InitiatingProcessAccountDomain,
     InitiatingProcessAccountName,
     InitiatingProcessCommandLine,
     RemoteUrl,
     RemoteIP
| sort by TimeGenerated
```

#### Versions
| Version | Comment |
| ---  | --- |
| 1.0 | Initial commit |
| 1.1 | Timespan update |

Explanation

The query detects new Remote Desktop Protocol (RDP) connections to devices that have not been established in the past 20 days. It retrieves information about the timestamp, device name, initiating process account domain, initiating process account name, initiating process command line, remote URL, and remote IP for these connections. The query is available in both Defender for Endpoint and Sentinel versions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 17, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User,Timestamp,InitiatingProcessFileName,RemotePort,DeviceName,InitiatingProcessAccountName,InitiatingProcessAccountDomain,InitiatingProcessCommandLine,RemoteUrl,RemoteIP,TimeGenerated

Operators

materializewhereagojoinkind=leftantionprojectsort by

Actions