Techniques
Sample rules
Remote Desktop Network Bruteforce
- source: splunk
- technicques:
- T1021.001
- T1021
Description
This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port
| eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50
| where count>(avg + stdev*2)
| rename All_Traffic.src AS src All_Traffic.dest AS dest
| table firstTime lastTime src dest count avg p50 stdev
| `remote_desktop_network_bruteforce_filter`