SELECT
meta_hostname AS "RDP Destination",
calendar_time,
cmdline,
remote_address AS "Connected From",
local_address AS "Connected To"
FROM xdr_data
WHERE query_name = 'open_sockets'
AND cmdline LIKE '%TermService%'
ORDER BY calendar_time DESC
This query will report on all the successful RDP connection from the Data Lake
- Are these what expect?
- Any external IP address?
- Any strange times?
