Splunk Search

using search to find user using RDP and switch identities usage

youngsuh
Path Finder

What's a good way to find user who logon to RDP with one user account then user another like privilege user account.  I know the event code/id that need to be monitored. 

Here are the event code/id:

EventCode=1146 OR EventCode=1147 OR EventCode=1148 OR EventCode=1149 OR EventCode=4624 OR EventCode=4625 OR EventCode=21 OR EventCode=22 OR EventCode=23 OR EventCode=24 OR EventCode=25 OR EventCode=39 OR EventCode=40 OR EventCode=4778 OR EventCode=4779 OR EventCode=4634 OR EventCode=4647 OR EventCode=9009

Here is the guy who documented the event id/code:  https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investi...

Which command would tell the story better?  concurrency vs streamstats vs timechart or is it combination of concurrency and timechart or am I total off?

Labels (4)
Tags (2)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!