Request for Assistance

Splunk Search

Hi Community,

I'm new to this world. I saw some very helpful people helping out new starters so I gathered courage to ask a question.

https://opstune.com/2020/07/01/spl-nuggets-visualizing-rdp-ts-connections-from-eventlogs/

I was hoping to modify the query to give me a nice visualization of RDP Activity focusing only on the 1149 Events.

index="xxxx" LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" EventCode=1149| eval time=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") | rex field=_raw ".*User:\s+(?<User>.*)\r\n" | rex field=_raw ".*Domain:\s+(?<Domain>.*)\r\n" | rex field=_raw ".*Network\sAddress:\s+(?<IP>.*)" | table host, time, User, Domain, IP

This gives me a very pretty tabular format of RDP attempts (not confirmed successful logins at times, but will do)

How could I possibly edit the query in Github to cater to my needs?

Apart from this, is there a way we can visualize (4624?) or Lateral Movement in the form of a picture/timeline using Splunk?

Thank you,

Vikas

Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...