SIEM use case - Discovering RDPs
So I had to come up with a SIEM use-case configuration, which could detect RDP sessions in the network infused with additional conditional use case clauses, which I rather not talk about ;)
It turns out that different windows events are generated if a user logs on with a new log on session and when a user connects back to a disconnected terminal (RDP) session.
Event IDs 4478, whereby the payload contains the string "RDP-Tcp"
Event IDs 4624, whereby the payload contains the string "Logon Type: 10" or "Logon Type: 10".
You see that event 4624 in pre-Win2K8 has a single space ("/s") between the colon and the number 10, while in Win2k8 and on-wards there are 3 spaces between the colon and the number 10, So better use regular expression for this filter.
Hope this is of some help.