Splunk Search

RDP Session Daisy Chain

New Member


I am trying to form a script that will parse information to detect RDP sessions that are Daisy Chained over our network.


src=* dest=* dest_port=3389 | transaction dest startswith=(src)

src=w.x.y.z. dest= dest_port-3389
scr= dest=a.b.c.d dest_port=3389

The problem is continuing the search to find multiple jumps and listing the multiple IPS.

0 Karma


You need duration or end time in addition to start time to consider doing this.

It's also going to be difficult to do this in a "normal" Splunk search. I did something somewhat similar with mail logs. Specifically I had to write a custom search command that followed tree-like data, which is what your use case really needs.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...