03-16-2026 04:56 AM
Hi Community,
Please help me on developing the xql query for cortex xsiam on the below objective.
RDP Lateral Movement Burst
Objective
Detect high‑velocity RDP lateral movement, It detects multiple RDP connections (logon type 7/10) from the same account within short time spans, lateral movement to multiple hosts, and privilege misuse associated with hands‑on‑keyboard activity. This aligns with T1021.001 (RDP).
Thanks in advance
03-16-2026 07:03 AM
Hello @N.B238890 ,
Greetings for the day.
To detect high-velocity RDP lateral movement (T1021.001) in Cortex XSIAM, you can construct an XQL query targeting Windows Event ID 4624 (Successful Logon) and filtering for Logon Types 7 (Unlock) and 10 (Remote Interactive).
The query logic identifies bursts by grouping these logon events within short time windows (using the bin stage) and calculating the number of unique destination hosts accessed by a single account.
Use the following query in the Query Builder:
Dataset:
Uses xdr_data, which contains normalized telemetry from the XDR agent, including ingested Windows Event Logs.
Field Extraction:
Uses json_extract_scalar to pull attributes such as LogonType and IpAddress from the action_evtlog_data_fields JSON object.
Burst Logic:
The bin stage segments events into 15-minute windows, while count_distinct(agent_hostname) identifies when a single account connects to multiple endpoints within that period.
You can also monitor RDP activity using the USER_SESSION event type or by monitoring network activity on port 3389. To view all user sessions regardless of log ingestion status:
For continuous monitoring, you can save this query as a Correlation Rule in Cortex XSIAM to automatically generate incidents when burst activity matching these conditions occurs.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
03-16-2026 07:03 AM
Hello @N.B238890 ,
Greetings for the day.
To detect high-velocity RDP lateral movement (T1021.001) in Cortex XSIAM, you can construct an XQL query targeting Windows Event ID 4624 (Successful Logon) and filtering for Logon Types 7 (Unlock) and 10 (Remote Interactive).
The query logic identifies bursts by grouping these logon events within short time windows (using the bin stage) and calculating the number of unique destination hosts accessed by a single account.
Use the following query in the Query Builder:
Dataset:
Uses xdr_data, which contains normalized telemetry from the XDR agent, including ingested Windows Event Logs.
Field Extraction:
Uses json_extract_scalar to pull attributes such as LogonType and IpAddress from the action_evtlog_data_fields JSON object.
Burst Logic:
The bin stage segments events into 15-minute windows, while count_distinct(agent_hostname) identifies when a single account connects to multiple endpoints within that period.
You can also monitor RDP activity using the USER_SESSION event type or by monitoring network activity on port 3389. To view all user sessions regardless of log ingestion status:
For continuous monitoring, you can save this query as a Correlation Rule in Cortex XSIAM to automatically generate incidents when burst activity matching these conditions occurs.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
