Hello Pro’s,
I was working on SOC Analyst course virtual lab “[Local Authentication in Windows]” question 3 “How many RDP connections were made?”. I used all possible queries related to RDP eventId and LogonType but whatever I add as a response, it appears incorrect. Please refer screenshot for more details.
Can someone help with query or response for the question?
Thanks,
Hello Joseph
Thank you for your help.
I have tried for logonType = 3 whose count is 35, for logonType = 10 - RDP count in the results is 13 and for logonType = 11 - RDP count in the results is (no match) and for combined logonType one of 3 , 10 - RDP count in the result is 48.
Like I shared earlier all answers are treated as incorrect. I have checked above documentation as well where windows 10 uses LogonType = 10 but it is not working.
Thanks,
Bhavesh R Bhanushali
Note I am looking for logon events (connections) and RDP. This gives me the correct answer.
If you only look for Logon Type 10 you will get both connections and disconnects.
I don’t want this to be an unfair question, do you think asking for “RDP logons” would make the answer more clear?
Hello Joseph,
Thank you for your help and clarity.
I was using correct query but timestamp considered was 24 hours due to which I was getting incorrect results.
Thanks again!!
