cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
What's New: Azure Sentinel Machine Learning Behavior Analytics: Anomalous RDP Login Detection
By
farazfadavi
Published Jul 14 2020 01:37 PM 9,969 Views
farazfadavi
Microsoft
‎Jul 14 2020 01:37 PM

What's New: Azure Sentinel Machine Learning Behavior Analytics: Anomalous RDP Login Detection

‎Jul 14 2020 01:37 PM

We are delighted to introduce the Public Preview for the Anomalous RDP Login Detection in Azure Sentinel’s latest machine learning (ML) Behavior Analytics offering. Azure Sentinel can apply machine learning to Windows Security Events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:

 

  • Unusual IP - the IP address has rarely or never been seen in the last 30 days.
  • Unusual geolocation - the IP address, city, country, and ASN have rarely or never been seen in the last 30 days.
  • New user - a new user logs in from an IP address and geolocation, both or either of which were not expected to be seen based on data from the last 30 days.

 

Configure anomalous RDP login detection

 

  1. You must be collecting RDP login data (Event ID 4624) through the Security events data connector. Make sure that in the connector’s configuration you have selected an event set besides "None" to stream into Azure Sentinel.

 

  1. From the Azure Sentinel portal, click Analytics, and then click the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Security events data to be collected before any incidents can be detected.

5 Comments
majo01
Brass Contributor
‎Jul 19 2020 08:23 AM
‎Jul 19 2020 08:23 AM

Are baselines tracked individually per host (i.e. RDP server) or collectively for per hosts appearing in securityevent table ?

farazfadavi
Microsoft
‎Jul 19 2020 11:12 PM
‎Jul 19 2020 11:12 PM

Hi majo01, baselines are tracked on a per workspace and per user basis. For instance, if a user logs in from a city in which they have never visited before but their colleagues in the workspace have, then that anomaly will get a lower score in the algorithm.

majo01
Brass Contributor
‎Jul 20 2020 01:45 AM
‎Jul 20 2020 01:45 AM

@farazfadaviThanks.

We are in a project of onboarding of new Windows servers to a single Sentinel workspace, so more waves of windows servers and users can appear suddenly in Sentinel. Is it okay to start this RDP ML Rule in such "turbulent" environment or we should wait until the full set of event sources stabilizes ?

I am asking this because i know the rule would enter a 30 days learning period.

 

Thanks.

farazfadavi
Microsoft
‎Jul 21 2020 12:15 PM
‎Jul 21 2020 12:15 PM

@majo01, the detection works on a per user basis as well, so as long as you are not adding a bulk of new information for a single user, you will not be overloaded with alerts.

0 Likes
Like
Lily_Ma
Microsoft
‎Aug 22 2020 08:14 AM
‎Aug 22 2020 08:14 AM

Great to see this feature get into public preview! Thank you @farazfadavi !

Version history
Last update:
‎Nov 02 2021 06:06 PM
Updated by: