Occasional Contributor

I create a custom detection that starts like this:


| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)

| where not(AccountName has_any (Array of the expected accounts))


...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).


Should work, right?  But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table.  Is that by design??  Could Microsoft fix this?