This article focuses on creating rules within the Elastic Search security suite (ELK) to detect Remote Desktop Protocol (RDP) brute-force attacks on Windows systems.
It suggests two event IDs and logon types to monitor failed login attempts, network logons, and remote interactive logons – which are commonly associated with RDP access.
The rule query is described, focusing on event code, logon types, and agent name to filter ELK-Windows-specific logs, and the logic behind the query is explained in detail.
The rationale is that, even though the RDP is widely associated with Logon Type 10, vulnerabilities have been found in the past within other network services that do not require explicit credentials, which makes ID 10 less reliable alone.
Thus, monitoring both Logon Types 3 and 10 will yield a more robust detection system.