Description of the query:
This query allows you to quickly identify RDP logons across your environment. Useful for baselining and threat hunting. Take it further by excluding expected usernames, expected SrcIp subnets, etc.
Query:
-24h | plat == windows | WEL | event/EVENT/System/EventID == "4624" AND event/EVENT/EventData/LogonType == "10"