Data Source: Windows Event Log Microsoft Windows TerminalServices RDPClient 1024

Date: 2024-11-21

ID: 2490537e-5e0c-46f7-9209-f56f852aa217

Author: Michael Haag, Splunk

Description

Data source object for Windows Event Microsoft Windows TerminalServices RDPClient 1024

Details

Property	Value
Source	`WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational`
Sourcetype	`WinEventLog`
Separator	EventCode

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Message</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">Security_ID</span>
  
  <span class="pill kill-chain">Src</span>
  
  <span class="pill kill-chain">Src_Host</span>
  
  <span class="pill kill-chain">Src_NT_Domain</span>
  
  <span class="pill kill-chain">Src_User</span>
  
  <span class="pill kill-chain">System_TimeCreated</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Type</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">user</span>
  
</div>

Example Log

111/21/2024 06:09:16 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=95 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57)

Source: GitHub | Version: 1