Query Details
Security Event Summarize RDP Activity
Query
//Creates a list of computers that your users have connected to via RDP and the total count of distinct computers each user has connected to
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == "4624"
| where LogonType == 10
//Extend new column that drops Account to lower case so users are correctly summarized, i.e User123 and user123 are combined
| extend AccountName=tolower(Account)
| summarize
['Count of Computers']=dcount(Computer),
['List of Computers']=make_set(Computer)
by AccountName
| sort by ['Count of Computers'] desc Explanation
This query creates a list of computers that users have connected to via RDP in the past 7 days. It also counts the total number of distinct computers each user has connected to. The query requires a data connector for Windows Security Events. It filters for events with EventID 4624 and LogonType 10. It then extends a new column to convert the account names to lowercase for accurate summarization. Finally, it summarizes the data by the account names, providing the count of computers each user has connected to and a list of those computers. The results are sorted in descending order based on the count of computers.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
wherewherewhereextendsummarizedcountmake_setbysort