Azure monitoring for RDP. How can I monitor all RDP connections?

kaml 1 Reputation point

In Azure, I want to monitor all attempted RDP connections. I am trying to see how many agents have attempted to connect to the VM and then find out how many succeeded or not.

How can I achieve this? I assume I am missing something obvious because I dont really see any help on this. I expected I could connect the VM to a log workspace and query, but it does not seem to show me what I am after.

For background, I have set up a VM which has a rule to only accept RDP access from a specific external IP address. I then switch on my VPN to simulate an unauthorised machine attempting RDP access.

I want to see the accepted and attempted RDP access somewhere and then perhaps generate alerts from it in the future.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,787 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. George Moise 2,346 Reputation points Microsoft Employee

    Hi kaml,

    If you have your Agents (Servers) onboarded in the Azure Monitor Virtual Machine Insights, or you have the Dependency Agent running on them (beside the Microsoft Monitoring Agent), then, in the Log Analytics Workspace where the agents are connected, you will get details about each connection that every process running on the agents are initiating / receiving.
    All that data is stored in a table called VMConnection, and then you could use a query like this to find out the required info:

    | where Direction == "inbound"
    | where Protocol == "tcp"
    | where DestinationPort == 3389
    | summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated),NumberOfConnections = count() by Computer, RemoteIp

    The above query will tell you for each Agent how many incoming RDP connections (TCP 3389) were detected from each RemoteIP, together with some additional information like when the first and last connections were done.

    I hope it helps!

    1 person found this answer helpful.
    0 comments No comments

  2. Rodolfo Castelo 6 Reputation points

    You could use Event Logging to monitor this.
    Do a query checking the events ID from this:

    With that create an alert, set the limit to 1 and frequency to 1 minute following this:

    I think you will have a delay but could solve your problem.

    0 comments No comments