Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Multiple RDP connections from Single System

RulenameMultiple RDP connections from Single System
DescriptionIdentifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.

Connections from the same system with the same account within the same day.

RDP connections are indicated by the EventID 4624 with LogonType = 10
Required data connectorsSecurityEvents
Query frequency1d
Query period8d
Trigger threshold0
Trigger operatorgt
Source Uri
Arm template78422ef2-62bf-48ca-9bab-72c69818a425.json
Deploy To Azure
let endtime = 1d;
let starttime = 8d;
let threshold = 2.0;
(union isfuzzy=true
| where TimeGenerated >= ago(endtime)
| where EventID == 4624 and LogonType == 10
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),
| where TimeGenerated >= ago(endtime)
| where EventID == 4624
| extend LogonType = tostring(EventData.LogonType)
| where  LogonType == 10
| extend ProcessName = tostring(EventData.ProcessName)
| extend Account = strcat(tostring(EventData.TargetDomainName),"\\", tostring(EventData.TargetUserName))
| extend IpAddress = tostring(EventData.IpAddress)
| extend TargetUserSid = tostring(EventData.TargetUserSid)
| extend AccountType=case(Account endswith "$" or TargetUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(TargetUserSid), "", "User")
| extend Activity="4624 - An account was successfully logged on."
| extend LogonTypeName="10 - RemoteInteractive"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)
| join kind=inner (
(union isfuzzy=true
| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
| where EventID == 4624 and LogonType == 10
| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress
( WindowsEvent
| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
| where EventID == 4624  and EventData has ("10")
| extend LogonType = toint(EventData.LogonType)
| where  LogonType == 10
| extend Account = strcat(tostring(EventData.TargetDomainName),"\\", tostring(EventData.TargetUserName))
| extend IpAddress = tostring(EventData.IpAddress)
| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)
) on Account, IpAddress
| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))
// Where the ratio of today to previous 7 days is more than double.
| where Ratio > threshold
| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet
| extend AccountName = tostring(split(Account, @"\")[1]), AccountNTDomain = tostring(split(Account, @"\")[0])
triggerOperator: gt
queryFrequency: 1d
description: |
  'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.
  Connections from the same system with the same account within the same day.
  RDP connections are indicated by the EventID 4624 with LogonType = 10'  
version: 1.2.6
kind: Scheduled
triggerThreshold: 0
- connectorId: SecurityEvents
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  - SecurityEvent
- connectorId: WindowsForwardedEvents
  - WindowsEvent
queryPeriod: 8d
name: Multiple RDP connections from Single System
id: 78422ef2-62bf-48ca-9bab-72c69818a425
- LateralMovement
    kind: Community
    name: Microsoft Security Research
    - Security - Threat Protection
    tier: Community
- T1021
severity: Low
- fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IpAddress
  entityType: IP
query: |
  let endtime = 1d;
  let starttime = 8d;
  let threshold = 2.0;
  (union isfuzzy=true
  | where TimeGenerated >= ago(endtime)
  | where EventID == 4624 and LogonType == 10
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),
  | where TimeGenerated >= ago(endtime)
  | where EventID == 4624
  | extend LogonType = tostring(EventData.LogonType)
  | where  LogonType == 10
  | extend ProcessName = tostring(EventData.ProcessName)
  | extend Account = strcat(tostring(EventData.TargetDomainName),"\\", tostring(EventData.TargetUserName))
  | extend IpAddress = tostring(EventData.IpAddress)
  | extend TargetUserSid = tostring(EventData.TargetUserSid)
  | extend AccountType=case(Account endswith "$" or TargetUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(TargetUserSid), "", "User")
  | extend Activity="4624 - An account was successfully logged on."
  | extend LogonTypeName="10 - RemoteInteractive"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)
  | join kind=inner (
  (union isfuzzy=true
  | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
  | where EventID == 4624 and LogonType == 10
  | summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress
  ( WindowsEvent
  | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
  | where EventID == 4624  and EventData has ("10")
  | extend LogonType = toint(EventData.LogonType)
  | where  LogonType == 10
  | extend Account = strcat(tostring(EventData.TargetDomainName),"\\", tostring(EventData.TargetUserName))
  | extend IpAddress = tostring(EventData.IpAddress)
  | summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)
  ) on Account, IpAddress
  | extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))
  // Where the ratio of today to previous 7 days is more than double.
  | where Ratio > threshold
  | project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet
  | extend AccountName = tostring(split(Account, @"\")[1]), AccountNTDomain = tostring(split(Account, @"\")[0])  
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78422ef2-62bf-48ca-9bab-72c69818a425')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78422ef2-62bf-48ca-9bab-72c69818a425')]",
      "properties": {
        "alertRuleTemplateName": "78422ef2-62bf-48ca-9bab-72c69818a425",
        "customDetails": null,
        "description": "'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.\nConnections from the same system with the same account within the same day.\nRDP connections are indicated by the EventID 4624 with LogonType = 10'\n",
        "displayName": "Multiple RDP connections from Single System",
        "enabled": true,
        "entityMappings": [
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "Account",
                "identifier": "FullName"
                "columnName": "AccountName",
                "identifier": "Name"
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
            "entityType": "IP",
            "fieldMappings": [
                "columnName": "IpAddress",
                "identifier": "Address"
        "OriginalUri": "",
        "query": "let endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4624 and LogonType == 10\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),\n(WindowsEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4624\n| extend LogonType = tostring(EventData.LogonType)\n| where  LogonType == 10\n| extend ProcessName = tostring(EventData.ProcessName)\n| extend Account = strcat(tostring(EventData.TargetDomainName),\"\\\\\", tostring(EventData.TargetUserName))\n| extend IpAddress = tostring(EventData.IpAddress)\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\n| extend AccountType=case(Account endswith \"$\" or TargetUserSid in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"), \"Machine\", isempty(TargetUserSid), \"\", \"User\")\n| extend Activity=\"4624 - An account was successfully logged on.\"\n| extend LogonTypeName=\"10 - RemoteInteractive\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)\n)\n| join kind=inner (\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| where EventID == 4624 and LogonType == 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\n),\n( WindowsEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| where EventID == 4624  and EventData has (\"10\")\n| extend LogonType = toint(EventData.LogonType)\n| where  LogonType == 10\n| extend Account = strcat(tostring(EventData.TargetDomainName),\"\\\\\", tostring(EventData.TargetUserName))\n| extend IpAddress = tostring(EventData.IpAddress)\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\n)\n) on Account, IpAddress\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\n// Where the ratio of today to previous 7 days is more than double.\n| where Ratio > threshold\n| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n| extend AccountName = tostring(split(Account, @\"\\\")[1]), AccountNTDomain = tostring(split(Account, @\"\\\")[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P8D",
        "severity": "Low",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "techniques": [
        "templateVersion": "1.2.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"