If RDP (3389) is open to the internet, bots will scan it in minutes. One type of defense is not enough — firewall and identity logs must be monitored together.
signals
- firewall: same src_ip → many 3389 deny
- Windows: 4625 LogonType 10 (Remoteinteractive)
- Abnormal time or country after successful 4624
Rule proposal
First block it on the firewall; incident escalation if there is successful RDP inside. OxiSec rdp_chain pattern combines this flow.