Hi,

I am helping analyse Microsoft logs for a Windows Server 2019 server with RDP exposed to the Internet. I can see brute force attempts to the server. The Microsoft event in Defender of concern that appears in the Timeline of the host is:

"MYDOMAIN\MYUSER connected to the device through a Remote Desktop session from xx.xx.xx.xx"

Where XX.XX.XX.XX is a known bad overseas IP address. But the user believes they were logged on at that time and the application access after the logon looks like them. Also it looks like the logon may have been associated with a connection from a good IP address, with the Defender Advanced Hunting logs showing in order:

12:26:53 The external remote service process svchost.exe was connected from XX.XX.XX.XX on port 3389

(brute force attempts, event type is "RemoteDesktopConnection")

...then two minutes later the user logs on:

12:28:55 An inbound remote desktop protocol (RDP) connection was initiated from "YY.YY.YY.YY"

(YY.YY.YY.YY is the user's home ip address)

12:28:55 Network login MYDOMAIN\MYUSER succeeded

12:28:55 MYDOMAIN\MYUSER signed into a Windows domain successfully

So the above three entries with the same time stamp look like a good logon from the user.

But in the timeline it shows:

12:28:55:405 Network logon by MYDOMAIN\MYUSER succeeded

12:28:55:405 MYDOMAIN\MYUSER signed into a Windows domain successfully

12:28:59.015 Remote inactive logon by MYDOMAIN\MYUSER succeeded

12:28:59:015 MYDOMAIN\MYUSER connected to the device through a Remote Desktop session from XX.XX.XX.XX

12:28:59:015 MYDOMAIN\MYUSER signed into a Windows domain successfully

So what is displayed on the Timeline does not match the Advanced Hunting.

Any idea what happened here? Thank you.

​