Tracking whom and how often RDP is performed by either Users /Admins can be a good matrix to track. It can also help track down both an attacker or rouge insider.
In VSE Access Protection Policy, select unwanted Programs:
Selection User-Defined Rules- New
Select "Port Blocking Rule" -default
Name the rule something you will understand in the events- IE RDP-WS
Processes to include "MSTSC.exe"
Starting and ending port "3389"
Direction check both Inbound and Outbound
Endure you uncheck block and only leave report. IF YOU LEAVE BLOCK CHECK you will kill RDP and your Sys Admins will call for your head.
Retrieving data ...