Event ID 21: Session logon succeeded (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational)
What this Event ID actually records on disk, the EventData fields worth reading first, and where it sits in a DFIR triage workflow.
- Channel
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
- Provider
- Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational
- Triage notes
- RDP session established. Source IP in the record is your attribution anchor.