Occasional Contributor

I create a custom detection that starts like this:

 

DeviceLogonEvents
| where ActionType == "LogonSuccess"
| where DeviceName has_any (Array of the backup servers)

| where not(AccountName has_any (Array of the expected accounts))

 

...with the idea of catching an unexpected account successfully logging into backup servers (through compromise/privelege escalation).

 

Should work, right?  But upon testing, I've come to realize that RDP logons don't register in the DeviceLogonEvents table.  Is that by design??  Could Microsoft fix this?

 

 

www.000webhost.com