diff --git a/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml b/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml
index dc236166805..05f8b6841b7 100644
--- a/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml
+++ b/Detections/SecurityEvent/RDP_MultipleConnectionsFromSingleSystem.yaml
@@ -32,7 +32,7 @@ query: |
   | where TimeGenerated >= ago(endtime)
   | where EventID == 4624 and LogonType == 10
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
-  by Account, IpAddress, AccountType, Activity, LogonTypeName),
+  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),
   (WindowsEvent
   | where TimeGenerated >= ago(endtime)
   | where EventID == 4624
@@ -46,7 +46,7 @@ query: |
   | extend Activity="4624 - An account was successfully logged on."
   | extend LogonTypeName="10 - RemoteInteractive"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)
-  by Account, IpAddress, AccountType, Activity, LogonTypeName)
+  by Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)
   )
   | join kind=inner (
   (union isfuzzy=true
@@ -83,7 +83,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.2.5
+version: 1.2.6
 kind: Scheduled
 metadata:
     source: