Multiple alerts associated with a single RDP connection

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

3 Hours

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Alerts
      OR
    • Third-Party Alerts

Detection Modules

Detector Tags

Enhanced RDP Analytics

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Remote Desktop Protocol (T1021.001)

Severity

Informational

Description

Multiple alerts associated with a single RDP connection were triggered.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

  • Investigate the source and destination of the RDP communication.
  • Check if this communication is legitimate and expected.
  • Analyze the user and process that initiated the RDP connection.