
Summary
The 'Unusual Time or Day for an RDP Session' detection rule employs machine learning to identify anomalous Remote Desktop Protocol (RDP) sessions initiated outside of typical business hours. This function is crucial for preemptively detecting potential security breaches, as attackers often exploit RDP to gain unauthorized access during off-peak times. The rule operates by tracking RDP session timings, utilizing an anomaly threshold of 70 and analyzing data collected from the Lateral Movement Detection integration, which requires corresponding Windows RDP process events. It can alert security teams to suspicious activity that could signify larger attacks, providing an early warning mechanism. Given the low severity score (21), this detection rule is part of a broader strategy to mitigate lateral movement within networks.
Categories
- Endpoint
- Network
- Windows
- Other
Data Sources
- User Account
- Network Traffic
- Process
ATT&CK Techniques
- T1210
Created: 2023-10-12