Be sure to open notepad in a PowerShell window with Admin privileges.
Okay, thank you. Have you done the search and destroy challenge ? If so please what was the user account that generated the XRDP activity? Thank you
You’ll have to work out the challenge yourself. If we just gave you the answer, it wouldn’t be a challenge 
Well if you could point me in the right direction, I wouldn’t mind. I’ve done the rest already.
I would recommend finishing the Learn portion of the SOC Analyst career path before starting any of the Challenges in the Practice section, as this will provide you with considerable additional experience with navigating telemetry in the Wazuh SIEM.
That said, you can find the answer to this question by filtering the data to the time period described in the instructions, then reviewing the events in that period. I would recommend starting with the earliest events and looking for references to a user.
1 Like