Detection rules › Kusto
Remote Desktop Network Brute force (ASIM Network Session schema)
This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110 Brute Force |
Event coverage
Rule body kusto
id: b7dc801e-1e79-48bb-91e8-2229a8e6d40b
name: Remote Desktop Network Brute force (ASIM Network Session schema)
description: |
'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'
severity: Medium
status: Available
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
// Start of the query and Filter events that resulted in failure
_Im_NetworkSession(eventresult="Failure")
// Filter out private source IP addresses and focus on specific destination port (3389)
// Also, ensure that the source and destination IP addresses are not the same
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
// Also, bin the time generated in 5-minute intervals
// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
// Filter the summarized data to include only those with an event count of 25 or more
| where Eventscount >= 25
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
kind: Scheduled
Stages and Predicates
Stage 1: source
_Im_NetworkSession(eventresult="Failure")
Stage 2: where
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
Stage 3: summarize
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
Stage 4: where
| where Eventscount >= 25
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
SrcIpAddr | cidr_match | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DstPortNumber | match |
|
Eventscount | ge |
|
SrcIpAddr | ne |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
DstPortNumber | summarize |
EndTime | summarize |
EventResult | summarize |
EventVendors | summarize |
Eventscount | summarize |
SrcIpAddr | summarize |
Starttime | summarize |
TargettedIPs | summarize |