{"id":7980,"date":"2026-03-04T22:48:56","date_gmt":"2026-03-04T20:48:56","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?post_type=docs&#038;p=7980"},"modified":"2026-03-04T22:49:25","modified_gmt":"2026-03-04T20:49:25","password":"","slug":"siem-visualization-example-3","status":"publish","type":"docs","link":"https:\/\/scalemedia.co.za\/cybermedia\/docs\/siem-visualization-example-3\/","title":{"rendered":"SIEM Visualization Example 3"},"content":{"rendered":"\n<p><strong>Successful RDP Logon Related To Service Accounts<\/strong><\/p>\n\n\n\n<p>In this SIEM visualization example, we aim to create a visualization to monitor successful RDP logons specifically related to service accounts. Service account credentials are never used for RDP logons in corporate\/real-world environments. We have been informed by the IT Operations department that all service accounts on the environment start with&nbsp;<code>svc-<\/code>.<\/p>\n\n\n\n<p>The motivation for this visualization stems from the fact that service accounts often possess exceptionally high privileges. We need to keep a close eye on how service accounts are used.<\/p>\n\n\n\n<p>Our visualization will be based on the following Windows event log.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4624\" target=\"_blank\" rel=\"noreferrer noopener\">4624: An account was successfully logged on<\/a><\/li>\n<\/ul>\n\n\n\n<p>Navigate to the bottom of this section and click on&nbsp;<code>Click here to spawn the target system!<\/code>.<\/p>\n\n\n\n<p>Navigate to&nbsp;<code>http:\/\/[Target IP]:5601<\/code>, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;.<\/p>\n\n\n\n<p>A prebaked dashboard should be visible. Let&#8217;s click on the &#8220;pencil&#8221;\/edit icon.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization16.png\" alt=\"Elastic Dashboards page with a 'Create dashboard' button, search bar, and a listed dashboard titled 'SOC-Alerts' with an edit option.\"\/><\/figure>\n\n\n\n<p>Now, to initiate the creation of our first visualization, we simply have to click on the &#8220;Create visualization&#8221; button.<\/p>\n\n\n\n<p>Upon initiating the creation of our first visualization, the following new window will appear with various options and settings.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization1.png\" alt=\"Elastic dashboard interface with options to add a filter, select 'windows*' index, search field names, and choose 'Bar vertical stacked' visualization.\"\/><\/figure>\n\n\n\n<p>There are five things for us to notice on this window:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A filter option that allows us to filter the data before creating a graph. In this case our goal is to display successful RDP logons specifically related to service accounts. We can use a filter to only consider event IDs that match\u00a0<code>4624 \u2013 An account was successfully logged on<\/code>. In this case though, we should also take into account the logon type which should be\u00a0<code>RemoteInteractive<\/code>\u00a0(<code>winlog.logon.type<\/code>\u00a0field). The following images demonstrates how we can specify such filters.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization38.png\" alt=\"Elastic filter editor with 'event.code' set to 'is 4624' and options to save or cancel.\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization39.png\" alt=\"Elastic filter editor with 'winlog.logon.type' set to 'is RemoteInteractive' and options to save or cancel.\"><\/li>\n\n\n\n<li>This field indicates the data set (index) that we are going to use. It is common for data from various infrastructure sources to be separated into different indices, such as network, Windows, Linux, etc. In this particular example, we will specify\u00a0<code>windows*<\/code>\u00a0in the &#8220;Index pattern&#8221;.<\/li>\n\n\n\n<li>This search bar provides us with the ability to double-check the existence of a specific field within our data set, serving as another way to ensure that we are looking at the correct data. We are interested in the\u00a0<code>user.name.keyword<\/code>\u00a0field. We can use the search bar to quickly perform a search and verify if this field is present and discovered within our selected data set. This allows us to confirm that we are accessing the desired field and working with accurate data.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization11.png\" alt=\"Elastic search interface with query 'user.' and available fields like related.user.keyword and user.name.keyword.\"><\/li>\n\n\n\n<li>Lastly, this drop-down menu enables us to select the type of visualization we want to create. The default option displayed in the earlier image is &#8220;Bar vertical stacked&#8221;. If we click on that button, it will reveal additional available options (image redacted as not all options fit on the screen). From this expanded list, we can choose the desired visualization type that best suits our requirements and data presentation needs.<img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization4.png\" alt=\"Elastic visualization type menu with options like Metric, Table, Bar horizontal, and Bar vertical stacked.\"><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>For this visualization, let&#8217;s select the &#8220;Table&#8221; option. After selecting the &#8220;Table&#8221;, we can proceed to click on the &#8220;Rows&#8221; option. This will allow us to choose the specific data elements that we want to include in the table view.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization5.png\" alt=\"Table configuration interface with options to add or drag-and-drop fields into Rows, Columns, and Metrics sections.\"\/><\/figure>\n\n\n\n<p>Let&#8217;s configure the &#8220;Rows&#8221; settings as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization6.png\" alt=\"Rows configuration interface: Select user.name.keyword field, top 1000 values, ranked by count of records in descending order.\"\/><\/figure>\n\n\n\n<p>Moving forward, let&#8217;s close the &#8220;Rows&#8221; window and proceed to enter the &#8220;Metrics&#8221; configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization7.png\" alt=\"Table configuration: Rows set to top values of user.name.keyword, add fields to Columns and Metrics.\"\/><\/figure>\n\n\n\n<p>In the &#8220;Metrics&#8221; window, let&#8217;s select &#8220;count&#8221; as the desired metric.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization8.png\" alt=\"Metrics selection interface: Choose 'Count' function for field.\"\/><\/figure>\n\n\n\n<p>One final addition to the table is to include two more &#8220;Rows&#8221; settings to show the machine where the successful RDP logon attempt occurred and the machine that initiated the successful RDP logon attempt. To do this, we will select the&nbsp;<code>host.hostname.keyword<\/code>&nbsp;field that represents the computer reporting the successful RDP logon attempt and the&nbsp;<code>related.ip.keyword<\/code>&nbsp;field that represents the IP of the computer initiating the succsessful RDP logon attempt. This will allow us to display the involved machines alongside the count of successful logon attempts, as shown in the image.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization40.png\" alt=\"Rows configuration: Select host.hostname.keyword, top 1000 values, ranked by number of logins in descending order.\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization41.png\" alt=\"Rows configuration: Select related.ip.keyword, top 1000 values, ranked by number of logins in descending order.\"\/><\/figure>\n\n\n\n<p>As discussed, we want to monitor successful RDP logons specifically related to service accounts, knowing for a fact that all service accounts of the environment start with&nbsp;<code>svc-<\/code>. So, to conclude our visualization we need to specify the following KQL query.<\/p>\n\n\n\n<p>&nbsp;&nbsp;SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>user.name: svc-*\n<\/code><\/pre>\n\n\n\n<p><strong>Note<\/strong>: As you can see we don&#8217;t use the&nbsp;<code>.keyword<\/code>&nbsp;field in KQL queries.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/211\/visualization43.png\" alt=\"Elastic dashboard showing user logins: svc-sql1 connected to PKI, 2 logins.\"\/><\/figure>\n\n\n\n<p>Now we can see four columns in the table, which contain the following information:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The service account whose credentials generated the successful RDP logon attempt event.<\/li>\n\n\n\n<li>The machine on which the logon attempt occurred.<\/li>\n\n\n\n<li>The IP of the machine that initiated the logon attempt.<\/li>\n\n\n\n<li>The number of times the event has occurred (based on the specified time frame or the entire data set, depending on the settings).<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Successful RDP Logon Related To Service Accounts In this SIEM visualization example, we aim to create a visualization to monitor successful RDP logons specifically related to service accounts. Service account credentials are never used for RDP logons in corporate\/real-world environments. We have been informed by the IT Operations department that all service accounts on the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[46],"doc_tag":[],"class_list":["post-7980","docs","type-docs","status-publish","hentry","doc_category-security-monitoring-siem-fundamentals"],"year_month":"2026-04","word_count":795,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Security Monitoring &amp; SIEM Fundamentals","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/security-monitoring-siem-fundamentals\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7980"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7980\/revisions"}],"predecessor-version":[{"id":7981,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7980\/revisions\/7981"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7980"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7980"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}