RDP Session Daisy Chain

New Member


I am trying to form a script that will parse information to detect RDP sessions that are Daisy Chained over our network.


src=* dest=* dest_port=3389 | transaction dest startswith=(src)

src=w.x.y.z. dest= destport-3389
scr= dest=a.b.c.d dest

The problem is continuing the search to find multiple jumps and listing the multiple IPS.

0 Karma


You need duration or end time in addition to start time to consider doing this.

It's also going to be difficult to do this in a "normal" Splunk search. I did something somewhat similar with mail logs. Specifically I had to write a custom search command that followed tree-like data, which is what your use case really needs.

0 Karma