SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
July 3, 2024
First we have to add filters
event.code is 4624 - An account was successfully logged on
winlog.logon.type is RemoteInteractive
Double check for user.name.keyword
Change visual type to table
Add rows user.name.keyword - number 1000
host.hostname.keyword - number 1000
related.ip.keyword - number 1000
Metrics to count
Add it to the KQL query
user.name: svc-*
PreviousSIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)NextSIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe
Last updated