%3CLINGO-SUB%20id%3D%22lingo-sub-1521988%22%20slang%3D%22en-US%22%3EWhat's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521988%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20delighted%20to%20introduce%20the%20Public%20Preview%20for%20the%20Anomalous%20RDP%20Login%20Detection%20in%20Azure%20Sentinel%E2%80%99s%20latest%20machine%20learning%20(ML)%20Behavior%20Analytics%20offering.%20Azure%20Sentinel%20can%20apply%20machine%20learning%20to%20Windows%20Security%20Events%20data%20to%20identify%20anomalous%20Remote%20Desktop%20Protocol%20(RDP)%20login%20activity.%20Scenarios%20include%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUnusual%20IP%20-%20the%20IP%20address%20has%20rarely%20or%20never%20been%20seen%20in%20the%20last%2030%20days.%3C%2FLI%3E%0A%3CLI%3EUnusual%20geolocation%20-%20the%20IP%20address%2C%20city%2C%20country%2C%20and%20ASN%20have%20rarely%20or%20never%20been%20seen%20in%20the%20last%2030%20days.%3C%2FLI%3E%0A%3CLI%3ENew%20user%20-%20a%20new%20user%20logs%20in%20from%20an%20IP%20address%20and%20geolocation%2C%20both%20or%20either%20of%20which%20were%20not%20expected%20to%20be%20seen%20based%20on%20data%20from%20the%20last%2030%20days.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%20id%3D%22toc-hId-1197951896%22%3EConfigure%20anomalous%20RDP%20login%20detection%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20must%20be%20collecting%20RDP%20login%20data%20(Event%20ID%204624)%20through%20the%20-ERR%3AREF-NOT-FOUND-Security%20events%20data%20connector.%20Make%20sure%20that%20in%20the%20connector%E2%80%99s%20configuration%20you%20have%20selected%20an%20event%20set%20besides%20%22None%22%20to%20stream%20into%20Azure%20Sentinel.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EFrom%20the%20Azure%20Sentinel%20portal%2C%20click%20%3CSTRONG%3EAnalytics%3C%2FSTRONG%3E%2C%20and%20then%20click%20the%20%3CSTRONG%3ERule%20templates%3C%2FSTRONG%3E%20tab.%20Choose%20the%20%3CSTRONG%3E(Preview)%20Anomalous%20RDP%20Login%20Detection%3C%2FSTRONG%3E%20rule%2C%20and%20move%20the%20%3CSTRONG%3EStatus%3C%2FSTRONG%3E%20slider%20to%20%3CSTRONG%3EEnabled%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAs%20the%20machine%20learning%20algorithm%20requires%2030%20days'%20worth%20of%20data%20to%20build%20a%20baseline%20profile%20of%20user%20behavior%2C%20you%20must%20allow%2030%20days%20of%20Security%20events%20data%20to%20be%20collected%20before%20any%20incidents%20can%20be%20detected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1521988%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20delighted%20to%20introduce%20the%20Public%20Preview%20for%20the%20Anomalous%20RDP%20Login%20Detection%20in%20Azure%20Sentinel%E2%80%99s%20latest%20machine%20learning%20(ML)%20Behavior%20Analytics%20offering.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1521988%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWhat's%20New%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531843%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531843%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20baselines%20tracked%20individually%20per%20host%20(i.e.%20RDP%20server)%20or%20collectively%20for%20per%20hosts%20appearing%20in%20securityevent%20table%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532473%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532473%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20majo01%2C%20baselines%20are%20tracked%20on%20a%20per%20workspace%20and%20per%20user%20basis.%20For%20instance%2C%20if%20a%20user%20logs%20in%20from%20a%20city%20in%20which%20they%20have%20never%20visited%20before%20but%20their%20colleagues%20in%20the%20workspace%20have%2C%20then%20that%20anomaly%20will%20get%20a%20lower%20score%20in%20the%20algorithm.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532667%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532667%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F722792%22%20target%3D%22_blank%22%3E%40farazfadavi%3C%2FA%3EThanks.%3C%2FP%3E%3CP%3EWe%20are%20in%20a%20project%20of%20onboarding%20of%20new%20Windows%20servers%20to%20a%20single%20Sentinel%20workspace%2C%20so%20more%20waves%20of%20windows%20servers%20and%20users%20can%20appear%20suddenly%20in%20Sentinel.%20Is%20it%20okay%20to%20start%20this%20RDP%20ML%20Rule%20in%20such%20%22turbulent%22%20environment%20or%20we%20should%20wait%20until%20the%20full%20set%20of%20event%20sources%20stabilizes%20%3F%3C%2FP%3E%3CP%3EI%20am%20asking%20this%20because%20i%20know%20the%20rule%20would%20enter%20a%2030%20days%20learning%20period.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1536829%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1536829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540154%22%20target%3D%22_blank%22%3E%40majo01%3C%2FA%3E%2C%20the%20detection%20works%20on%20a%20per%20user%20basis%20as%20well%2C%20so%20as%20long%20as%20you%20are%20not%20adding%20a%20bulk%20of%20new%20information%20for%20a%20single%20user%2C%20you%20will%20not%20be%20overloaded%20with%20alerts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605600%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20New%3A%20Azure%20Sentinel%20Machine%20Learning%20Behavior%20Analytics%3A%20Anomalous%20RDP%20Login%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605600%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20see%20this%20feature%20get%20into%20public%20preview!%20Thank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F722792%22%20target%3D%22_blank%22%3E%40farazfadavi%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

We are delighted to introduce the Public Preview for the Anomalous RDP Login Detection in Azure Sentinel’s latest machine learning (ML) Behavior Analytics offering. Azure Sentinel can apply machine learning to Windows Security Events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:

 

  • Unusual IP - the IP address has rarely or never been seen in the last 30 days.
  • Unusual geolocation - the IP address, city, country, and ASN have rarely or never been seen in the last 30 days.
  • New user - a new user logs in from an IP address and geolocation, both or either of which were not expected to be seen based on data from the last 30 days.

 

Configure anomalous RDP login detection

 

  1. You must be collecting RDP login data (Event ID 4624) through the Security events data connector. Make sure that in the connector’s configuration you have selected an event set besides "None" to stream into Azure Sentinel.

 

  1. From the Azure Sentinel portal, click Analytics, and then click the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Security events data to be collected before any incidents can be detected.

5 Comments
Occasional Contributor

Are baselines tracked individually per host (i.e. RDP server) or collectively for per hosts appearing in securityevent table ?

Microsoft

Hi majo01, baselines are tracked on a per workspace and per user basis. For instance, if a user logs in from a city in which they have never visited before but their colleagues in the workspace have, then that anomaly will get a lower score in the algorithm.

Occasional Contributor

@farazfadaviThanks.

We are in a project of onboarding of new Windows servers to a single Sentinel workspace, so more waves of windows servers and users can appear suddenly in Sentinel. Is it okay to start this RDP ML Rule in such "turbulent" environment or we should wait until the full set of event sources stabilizes ?

I am asking this because i know the rule would enter a 30 days learning period.

 

Thanks.

Microsoft

@majo01, the detection works on a per user basis as well, so as long as you are not adding a bulk of new information for a single user, you will not be overloaded with alerts.

Microsoft

Great to see this feature get into public preview! Thank you @farazfadavi !