Hi all!
I'm currently trying to create a RDP session analysis dashboard. I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.
index=windows source=sysmon
DestinationPort=3389
EventCode=3
Image!="C:\Program Files\RANDOMAPP*"
| rename User as SourceUser
| search SourceUser!="NT AUTHORITY\NETWORK SERVICE"
SourceUser!="NT-AUTHORITY\Network Service"
SourceUser!="NT-AUTHORITY\SYSTEM"
| stats count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort
| sort - count
Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events.
Why is this happening and how can I prevent it from appearing in the "User" field?
When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?
User!=Windows\*
User!="Program Files*"
Also, if you check the events, you can see 2 events being displayed for “User”
Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅
Thanks in advance for your help and have a great day!
@maiks1When I saw another fields values show up in a given field, a sysadmin had changed the order of the logs. This can show up as a new order to the same number of fields, introduction of a new field in the log, removal of a field, which changes the order of later fields in the log, etc.. Sourcetype configuration wasn't updated, so it keeps parsing per its definition. Lesson: walk through the whole thing slowly, starting at the beginning. Once you identified what changed, then you can work on why it changed.