Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An unusual successful RDP connection by a user from an external IP.
This may be indicative of using stolen credentials or malicious activity.
Attacker's Goals
The attacker attempts to gain access to the accounts through RDP from an external source.
Investigative actions
- Identify the user performing RDP and check that it is authorized.
- Check whether this IP has a malicious reputation.
- Reset the user's password.
- Follow further actions done by the user.