topic retrieve RDP informations in Cortex XDR Discussions

retrieve RDP informations

LECORRE — Thu, 04 Jan 2024 12:48:56 GMT

Hello and sorry for my bad english,

I want to retrieve informations about RDP connection to computers.

When computer A connect to computer B with RDP, on computer B (destination) windows log this event :
Event Security with ID 4624 et logon type 10

How by query builder retrieve this information on all computers ?

thanks a lot

Re: retrieve RDP informations

aspatil — Tue, 09 Jan 2024 10:26:17 GMT

Hello @LECORRE ,

Thank you for writing to live community.

You can use below query as a sample and modify it as per your requirement:

preset = xdr_event_log
| filter action_evtlog_event_id = 4624

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

Re: retrieve RDP informations

LECORRE — Tue, 09 Jan 2024 10:28:48 GMT

I create found base on other topic on forum, the script is :

dataset = xdr_data
| filter event_type = WINDOWS_EVENT_LOG AND action_evtlog_event_id = 4624
| alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:.*?(\d+)\r\n"),0), User_Name = arrayindex(regextract(action_evtlog_message,"New Logon:\r\n.*\r\n.*?Account Name:.*?(\w.*?)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Source Network Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), HOST_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0)
| filter Logon_Type  = "10"
| fields agent_hostname, User_name, Logon_Type, Source_IP