Event ID 21 : Session logon succeeded (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational)
Ce que cet Event ID enregistre vraiment sur disque, les champs EventData à lire en premier et sa place dans un workflow de triage DFIR.
- Canal
- Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
- Fournisseur
- Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational
- Notes de triage
- RDP session established. Source IP in the record is your attribution anchor.