This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.
The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP country is detected (meaning they are potentially Local IPs if there are not country associated). Optionally, you can add a line to exclude ‘whitelisted’ locations like :’ | where location !contain “Spain” ’
DeviceEvents
| where ActionType contains "RemoteDesktopConnection"
| extend location = geo_info_from_ip_address(LocalIP)
| where location has "Country"
| project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, location,ReportId, DeviceId