We are delighted to introduce the Public Preview for the Anomalous RDP Login Detection in Azure Sentinel’s latest machine learning (ML) Behavior Analytics offering. Azure Sentinel can apply machine learning to Windows Security Events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:
- Unusual IP – the IP address has rarely or never been seen in the last 30 days.
- Unusual geolocation – the IP address, city, country, and ASN have rarely or never been seen in the last 30 days.
- New user – a new user logs in from an IP address and geolocation, both or either of which were not expected to be seen based on data from the last 30 days.
Configure anomalous RDP login detection
- You must be collecting RDP login data (Event ID 4624) through the Security events data connector. Make sure that in the connector’s configuration you have selected an event set besides “None” to stream into Azure Sentinel.
- From the Azure Sentinel portal, click Analytics, and then click the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.
As the machine learning algorithm requires 30 days’ worth of data to build a baseline profile of user behavior, you must allow 30 days of Security events data to be collected before any incidents can be detected.