You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/data-connectors-reference.md
+28-1Lines changed: 28 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1332,6 +1332,8 @@ For more information, see [Insecure protocols workbook setup](./get-visibility.m
1332
1332
1333
1333
See also: [**Windows Security Events**](#windows-security-events-preview) connector based on Azure Monitor Agent (AMA)
1334
1334
1335
+
[Configure the **Security events / Windows Security Events connector**for**anomalous RDP login detection**](#configure-the-security-events--windows-security-events-connector-for-anomalous-rdp-login-detection).
1336
+
1335
1337
## SentinelOne (Preview)
1336
1338
1337
1339
| Connector attribute | Description |
@@ -1593,7 +1595,32 @@ We recommend installing the [Azure Sentinel Information Model (ASIM)](normalizat
1593
1595
|**Supported by**| Microsoft |
1594
1596
|||
1595
1597
1596
-
Use the Windows Security Events connector, or the legacy [**Security events**](#security-events-windows) connector, to [detect anomalous RDP logins](common-threat-detection-scenarios.md#configure-the-security-events--windows-security-events-connector-for-anomalous-rdp-login-detection).
1598
+
1599
+
See also: Legacy [**Security events**](#security-events-windows) connector.
1600
+
1601
+
### Configure the Security events / Windows Security Events connector for anomalous RDP login detection
1602
+
1603
+
> [!IMPORTANT]
1604
+
> Anomalous RDP login detection is currently in public preview.
1605
+
> This feature is provided without a service level agreement, and it's not recommended for production workloads.
1606
+
> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
1607
+
1608
+
Azure Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:
1609
+
1610
+
- **Unusual IP** - the IP address has rarely or never been observed in the last 30 days
1611
+
1612
+
- **Unusual geo-location** - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days
1613
+
1614
+
- **New user** - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.
1615
+
1616
+
**Configuration instructions**
1617
+
1618
+
1. You must be collecting RDP login data (Event ID 4624) through the **Security events** or **Windows Security Events** data connectors. Make sure you have selected an [event set](windows-security-event-id-reference.md) besides "None", or created a data collection rule that includes this event ID, to stream into Azure Sentinel.
1619
+
1620
+
1. From the Azure Sentinel portal, select **Analytics**, and then select the **Rule templates** tab. Choose the **(Preview) Anomalous RDP Login Detection** rule, and move the **Status** slider to **Enabled**.
1621
+
1622
+
> [!NOTE]
1623
+
> As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Windows Security events data to be collected before any incidents can be detected.
0 commit comments