While playing with log Queries in Sentinel, I found several RDP connections to my test machines and would like to know if these attempts were successful or no. I looked for messages such as "User Authentication succeeded" or event ID 1149 but couldn't find any. However in my sentinel logs I can see the following logs :
For anyone else who is looking for this, the solution is to filter by Event in sentinel logs, after enabling Windows RDP logs under DATA => Windows Events Logs. You can use the following query for test :
Event | where RenderedDescription contains"A connection from the client computer with an IP address of" and RenderedDescriptioncontains"failed because the user name or password is not correct. "