Please help me on developing xql query for cortex xsiam

N.B238890 — Mon, 16 Mar 2026 11:56:15 GMT

Hi Community,

Please help me on developing the xql query for cortex xsiam on the below objective.

RDP Lateral Movement Burst

Objective
Detect high‑velocity RDP lateral movement, It detects multiple RDP connections (logon type 7/10) from the same account within short time spans, lateral movement to multiple hosts, and privilege misuse associated with hands‑on‑keyboard activity. This aligns with T1021.001 (RDP).

Thanks in advance

Re: Please help me on developing xql query for cortex xsiam

susekar — Mon, 16 Mar 2026 14:03:09 GMT

Hello @N.B238890 ,

Greetings for the day.

To detect high-velocity RDP lateral movement (T1021.001) in Cortex XSIAM, you can construct an XQL query targeting Windows Event ID 4624 (Successful Logon) and filtering for Logon Types 7 (Unlock) and 10 (Remote Interactive).

The query logic identifies bursts by grouping these logon events within short time windows (using the bin stage) and calculating the number of unique destination hosts accessed by a single account.

XQL Query: RDP Lateral Movement Burst Detection

Use the following query in the Query Builder:

config timeframe = 24h
| dataset = xdr_data
// Filter for Windows Logon Success events
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624
// Extract LogonType, Target User, and Source IP from the event data fields
| alter logon_type = json_extract_scalar(action_evtlog_data_fields, "$.LogonType"),
 target_user = json_extract_scalar(action_evtlog_data_fields, "$.TargetUserName"),
 source_ip = json_extract_scalar(action_evtlog_data_fields, "$.IpAddress")
// Filter specifically for RDP (Type 10) and Session Unlock (Type 7)
| filter logon_type in ("7", "10") and source_ip != "-" and source_ip != "127.0.0.1"
// Define the burst window (e.g., 15 minutes)
| bin _time span = 15m
// Count unique destination hosts and total connections per account and source IP
| comp count_distinct(agent_hostname) as unique_targets, 
 count(event_id) as total_connections 
 by _time, target_user, source_ip
// Threshold for burst detection: user connecting to 3 or more unique hosts in 15 mins
| filter unique_targets >= 3
| sort desc unique_targets

Key Components of the Query

Dataset:
Uses xdr_data, which contains normalized telemetry from the XDR agent, including ingested Windows Event Logs.

Field Extraction:
Uses json_extract_scalar to pull attributes such as LogonType and IpAddress from the action_evtlog_data_fields JSON object.

Burst Logic:
The bin stage segments events into 15-minute windows, while count_distinct(agent_hostname) identifies when a single account connects to multiple endpoints within that period.

Alternative Detection:

You can also monitor RDP activity using the USER_SESSION event type or by monitoring network activity on port 3389. To view all user sessions regardless of log ingestion status:

dataset = xdr_data
| filter event_type = ENUM.USER_SESSION

For continuous monitoring, you can save this query as a Correlation Rule in Cortex XSIAM to automatically generate incidents when burst activity matching these conditions occurs.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Please help me on developing xql query for cortex xsiam in Cortex XDR Discussions

Please help me on developing xql query for cortex xsiam

Re: Please help me on developing xql query for cortex xsiam

XQL Query: RDP Lateral Movement Burst Detection

Key Components of the Query

Alternative Detection: