Query Details
RDP Connections From Devices To Remote IP Classified By Country
Query
DeviceEvents | where ActionType contains "RemoteDesktopConnection" | extend location = geo_info_from_ip_address(LocalIP) | where location contains "Country" | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, location,ReportId, DeviceId
Explanation
This query looks for device events related to remote desktop connections. It then adds the location information based on the local IP address and filters for events that have a country location. Finally, it selects specific columns to display in the results: Timestamp, DeviceName, ActionType, LocalIP, LocalPort, location, ReportId, and DeviceId.
Details
Sergio Albea
Released: June 7, 2024
Tables
DeviceEvents
Keywords
DeviceEvents,RemoteDesktopConnection,Location,Country,Timestamp,DeviceName,ActionType,LocalIP,LocalPort,ReportId,DeviceId
Operators
wherecontainsextendgeo_info_from_ip_addressproject