RDP Audit

SELECT
    meta_hostname AS "RDP Destination",
    calendar_time,
    cmdline,
    remote_address AS "Connected From",
    local_address AS "Connected To"
FROM xdr_data
WHERE query_name = 'open_sockets'
AND cmdline LIKE '%TermService%'
ORDER BY calendar_time DESC

This query will report on all the successful RDP connection from the Data Lake

Are these what expect?
Any external IP address?
Any strange times?

MichaelCurtis

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

RDP Audit

Submitted a Tech Support Case lately from the Support Portal?