MicrosoftRecently found out the Sentinel Defender XDR connector isn't pulling in the additional fields so anyone RDP Nesting custom rules would need to be in Defender 😞
Wrote this KQL for it but no time to test it yet.
(DeviceNetworkEvents
| where IsInitiatingProcessRemoteSession == "True" and ActionType has "ConnectionSuccess"
| where RemotePort == "389"
| project FirstHop = Timestamp, FirstDeviceName=DeviceName, FirstLocalIP=LocalIP, FirstRemoteURL=RemoteUrl, FirstRemoteIP=RemoteIP, Account=InitiatingProcessAccountName, AccountUPN=InitiatingProcessAccountUpn, FirstRemoteSessionDeviceName=InitiatingProcessRemoteSessionDeviceName, FirstRemoteSessionIP=InitiatingProcessRemoteSessionIP
)
| join kind=inner (
DeviceNetworkEvents
| where IsInitiatingProcessRemoteSession == "True" and ActionType has "ConnectionSuccess"
| where RemotePort == "389"
| project SecondHop = Timestamp, SecondDeviceName=DeviceName, SecondLocalIP=LocalIP, SecondRemoteURL=RemoteUrl, SecondRemoteIP=RemoteIP, Account=InitiatingProcessAccountName, AccountUPN=InitiatingProcessAccountUpn, SecondRemoteSessionDeviceName=InitiatingProcessRemoteSessionDeviceName, SecondRemoteSessionIP=InitiatingProcessRemoteSessionIP
) on Account
| where FirstRemoteSessionDeviceName != SecondRemoteSessionDeviceName
| project-reorder Account, AccountUPN, FirstHop, SecondHop, FirstRemoteSessionDeviceName, FirstRemoteSessionIP, FirstDeviceName, FirstLocalIP, SecondRemoteSessionDeviceName, SecondRemoteSessionIP, SecondDeviceName, SecondLocalIP
| project-away Account1, AccountUPN1
| where SecondRemoteSessionDeviceName has FirstDeviceName and SecondHop > FirstHop
| where SecondHop <= FirstHop+30m
