security_content icon indicating copy to clipboard operation
security_content copied to clipboard
verified publisher icon splunk

Create search that "tell a full analysis of who connected to a host and use shared account to rdp to another machine"

Open josehelps opened this issue 3 years ago • 1 comments

This was raised as a request on user slack by Young So: https://splunk-usergroups.slack.com/archives/C1S5BEF38/p1650643429804829

Hello, Experts, we're trying correlated a event code 1149 4624/4625/4778/4779/4634. I can't seem to tell a full analysis of who connected to a host and use shared account to rdp to another machine? I'd looked around the internet but drawing old articles. The ask is has anyone done such correlated search in Splunk? This must be use case fir anyone who is monitoring Shared identities.

josehelps avatar Apr 25 '22 17:04 josehelps

Maybe this is best built as a threat hunting dashboard, a better fit for investigative workflows.

josehelps avatar Apr 25 '22 17:04 josehelps