Trying to get this data from the windows logs, is sometimes not the best idea.
If an attacker has DA credentials, they can simply disable your logging. I'd likely suggest looking at firewall data, assuming you log intra-zone traffic. It will also show you attempts to access these ports, even if they are unsuccessful, which could indicate a scan of your networks RDP ports, etc...
On a side note often "deny" events are more interesting than they are given credit for. If a workstation is accessing a bunch of rdp ports all over the network, even if they are denied, that workstation should still be investigated.