Remote Interactive Logons (RDP)
Identifies remote interactive logons on a specific endpoint. The query filters UserIdentity events for LogonType=10, which typically indicates Remote Desktop or similar remote access sessions. Results are scoped by the provided aid and display up to 1,000 events, including timestamp, username, user principal, and the logon server. Useful for detecting and reviewing remote access activity during investigations or routine monitoring.
EDRhuntingT1021
FDR intermediatepor ByteRay (cql-hub.com) 1 min read
Query
#event_simpleName=UserIdentity
| aid=?aid LogonType=10
|table([@timestamp,UserName,UserPrincipal,LogonServer],limit=1000)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.