An uncommon RDP session from a managed host

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-03-01

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Enhanced RDP Analytics
ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Informational

Description

An RDP session was established with uncommon parameters from a managed host.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.

Variations

An uncommon RDP session initiated by a chained RDP client

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP session was established by a process that is itself an RDP client, which is uncommon behavior.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.

An uncommon RDP session initiated by a globally rare RDP client

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP session was established by a process hash that has not been seen globally, which is uncommon.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.

An uncommon RDP session initiated by a rare RDP client

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP session was established by a process hash that is rare in the environment.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.

An uncommon RDP session from a host that rarely initiates RDP

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP session was initiated from a host that does not typically establish RDP connections.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.

An uncommon RDP session initiated by a process with rare causality

Synopsis

ATT&CK Tactic	Lateral Movement (TA0008)
ATT&CK Technique	Remote Services: Remote Desktop Protocol (T1021.001)
Severity	Low

Description

An RDP session was established by a process with an uncommon parent process relationship.

Attacker's Goals

Adversaries may use RDP for initial access or lateral movement within a network.

Investigative actions

Investigate the source and destination of the RDP communication.
Check if this communication is legitimate and expected.
Analyze the user and process that initiated the RDP connection.