EEG RDP

# Microsoft Security Exposure Management - Remote Desktop Protocol (RDP) ## Query Information ### Description Use the below queries to retrieve RDP configuration information from the enterprise exposure graph. #### References - [Introducing Microsoft Security Exposure Management](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-microsoft-security-exposure-management/ba-p/4080907) - [Query the enterprise exposure graph](https://learn.microsoft.com/en-us/security-exposure-management/query-enterprise-exposure-graph) ### Microsoft Defender XDR Retrieve RDP Service and configuration information ```kql ExposureGraphNodes | where NodeLabel == 'device' | extend rawData = parse_json(NodeProperties.rawData) | where parse_json(rawData.osDistribution) == 'Windows' | where parse_json(rawData).onboardingStatus == 'Onboarded' | extend DeviceName = parse_json(rawData).deviceName | extend osPlatformFriendlyName = parse_json(rawData).osPlatformFriendlyName | extend rdpService = parse_json(rawData.remoteServicesInfo.rdp) | extend rdpStatus = parse_json(rawData.rdpStatus) | extend RDPserviceRunning = parse_json(rdpStatus).serviceRunning | extend RDPallowConnections = tostring(parse_json(rdpStatus).allowConnections) | extend RDPserviceRunning = parse_json(rdpService).serviceRunning | extend RDPstartMode = parse_json(rdpService).startMode | extend RDPnlaRequired = tostring(parse_json(rdpService).nlaRequired) | project DeviceName, osPlatformFriendlyName, RDPserviceRunning, RDPallowConnections, RDPnlaRequired, RDPstartMode, rawData ```

Explanation

This query retrieves Remote Desktop Protocol (RDP) configuration information from the enterprise exposure graph for devices running Windows operating system that are onboarded. It includes details such as device name, OS platform, RDP service status, RDP connections allowed, NLA requirement, and start mode.

KQL Search

Query

Explanation

Details

Actions