How to distingusion where is the 4624 event was lo...

Alerting

Hi Everyone

I am trying to detect RDP connection to a remote host. I read up some web post suggests looking for 4624 with logon type 10 event. I made an RDP to a remote host, however all 4624 evens I can see is logon type 3.

Then I realize 4624 events can be collected from 3 places

The workstation where the user phycially present

The AD: where the authentication takes place

The remote host: where the user wants to log in, which is the destination host.

I am wondering whether the logon type 10 events only occur on the remote host and on the AD log the 4624 event will have logon type 3 instead.

Anyone has come across this kind of situation before?

Thank you for the help.

Cheers

Linsong

Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...