RDP from an unmanaged endpoint in a typically managed subnet

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Platform Logs OR XDR Agent
Detection Modules
Detector Tags	Enhanced RDP Analytics
ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Informational

Description

An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement.

Attacker's Goals

Lateral movement to critical assets from an unmanaged host.

Investigative actions

Verify if the source endpoint is authorized to perform RDP connections.
Validate that the source endpoint is managed or unmanaged.
Investigate the user account used for the RDP connection.

Variations

RDP from an unmanaged endpoint in a typically managed subnet with a significantly higher number of managed endpoints in the subnet

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP connection was established from an unmanaged endpoint in a typically managed subnet, indicating a possible lateral movement. The source subnet has a significantly higher number of managed endpoints compared to the unmanaged ones.

Attacker's Goals

Lateral movement to critical assets from an unmanaged host.

Investigative actions

Verify if the source endpoint is authorized to perform RDP connections.
Validate that the source endpoint is managed or unmanaged.
Investigate the user account used for the RDP connection.