Successful RDP Logon Related To Service Accounts

Objective

Create a visualization to monitor successful RDP logon attempts specifically related to service accounts.

Steps

1. Navigate to the Target System

   • Access the SIEM tool via http://[Target IP]:5601.

   • Open the "Dashboard" from the side navigation.

2. Edit Dashboard

   • Click the "pencil" or edit icon to modify the dashboard.

   • Select "Create visualization" to begin.

3. Configure Visualization Settings

   • Filter Configuration

     • Set up a filter to focus on Event ID 4624 (successful logon attempts).

     • Filter logon type to RemoteInteractive using the winlog.logon.type field.

   • Index Pattern

     • Specify windows* as the index pattern to use Windows-related logs.

   • Search Bar Check

     • Confirm user.name.keyword is in the dataset to ensure field accuracy.

   • Select Visualization Type

     • Choose the "Table" option for the display.

4. Table Configuration

   • Rows Settings

     • Add "Rows" to display:

       • Service Account - user.name field (filtered for svc-* for service accounts).

       • Machine - reporting host machine (host.hostname.keyword).

       • Initiating IP - IP of the machine that initiated the logon (related.ip.keyword).

       • Count of Events - set to "count" to show event occurrences.

   • Metrics

     • Select "count" as the metric to populate the table.

5. KQL Query for Service Accounts

   • Use user.name: svc-* to limit results to service accounts starting with svc-.

6. Save and Return

   • Click "Save and return" to add the configured visualization to the dashboard.

---

The completed table will display:

• The service account used for the RDP logon.

• The machine that received the logon.

• The IP of the initiating machine.

• The count of successful RDP logon attempts.