This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rule to track Remote session followed by a Remote session.

AnujShrivastava
Beginner
Beginner

‎2017-04-12 07:12 AM

Hi ,

I need to create a Rule where i can track the Consecutive Remote Desktop activity, 

 

If a user Login to a Server using RDP and Consecutively logs into a another server from that same server using a RDP again, means "Remote session from a server and then one more Remote Session from that Remote session.

 

server > Remote destop then another > Remote desktop> then another.

 

i need to track this.

I tried to create a ESA rule but it stuck on one place it is tracking all activity from a same user.dst but only for single server, but if a user takes a another session from a remote session itself it will change the destination server in logs, that i am not able to track in a "followed by"  Rule.

 

Thanks in Advance. \m/

 

pastedImage_1.png

pastedImage_2.png

pastedImage_3.png

 

Result also attached in Attachment  --- here you will see that same destination server is tracked for both of the time but i want to track the second remote session from a remote session, hence second remote session will change the second destination IP.

pastedImage_4.png

Labels:
Preview file
81 KB
0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-04-13 05:31 PM

You are probably going to need a single point that is the same on all RDP sessions, such as the user.dst, to tie all the different logs together. This may require some more advanced ESP rule creation then the UI wizards will not allow. I suspect you'll need to compare user.dst between different server logs within a specific time range to see if someone is hopping from one server to another via RDP. Unfortunately I don't know enough about the language myself to provide a working example. However the above thought process should be generally correct. 

 

The only other thing I can think of would be to say if a user uses RDP on a server then you see that server's IP address as a RDP source on another server within a fixed period of time alert. In that case the tying information is the RDP protocol and then the source IP being compared to the destination IP from the last check.

 

Just like above I suspect this is something you won't be able to use the easy wizard mode of ESA rule building. You'll need to use the Advance builder. I know it isn't the answer you probably wanted but hopefully it will help. The community is full of smart people and I know someone on here has ESP writing skills.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.