Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Request for Assistance

singhvikas
Explorer
‎03-09-2021 11:31 PM

Hi Community,

I'm new to this world. I saw some very helpful people helping out new starters so I gathered courage to ask a question. 

https://opstune.com/2020/07/01/spl-nuggets-visualizing-rdp-ts-connections-from-eventlogs/

I was hoping to modify the query to give me a nice visualization of RDP Activity focusing only on the 1149 Events. 

 

 

 

index="xxxx" LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" EventCode=1149| eval time=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") | rex field=_raw ".*User:\s+(?<User>.*)\r\n" | rex field=_raw ".*Domain:\s+(?<Domain>.*)\r\n" | rex field=_raw ".*Network\sAddress:\s+(?<IP>.*)" | table host, time, User, Domain, IP

 

 

 

This gives me a very pretty tabular format of RDP attempts (not confirmed successful logins at times, but will do) 

How could I possibly edit the query in Github to cater to my needs? 

Apart from this, is there a way we can visualize (4624?) or Lateral Movement in the form of a picture/timeline using Splunk?

Thank you,

Vikas

Labels (4)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...