Event ID 21: Session logon succeeded (Microsoft-Windows-TerminalServices-LocalSessionManager/Operational)

O que esse Event ID realmente registra em disco, os campos EventData a ler primeiro e onde ele se encaixa em um fluxo de triagem DFIR.

Canal: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Provedor: Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational
Notas de triagem: RDP session established. Source IP in the record is your attribution anchor.

Microsoft Learn

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/rdp-error-general-troubleshootingAbrir a referência oficial ↗