Hi Elastic community,
I have just started using Elastic with Kibana on the front end and Winlogbeat.
I am currently working on a project for work that revolves around analysing the Windows event log files of around 100 virtualised servers. My task is to identify when the administrator credentials have been used to RDP into these servers and indicate who is making this connection.
Despite having most of the data I need within Kibana, I am not able to retrieve possibly the most important information needed, which is either the username and/or computer name of where the connection to the servers is occurring. The computer name and workstation index fields only provide the server side information, not of the person or computer RDPing into the servers.
I am using event_data.IpAddress to retrieve the IP address of the connection, so I was wondering if there is a way to do a nslookup of this address within Kibana and display it under a custom index field? I have a powershell script that does this nslookup but Kibana only allows for Painless or Expression code to be written. My scripting skill is next to none.
Can anyone please give me some advice how I would be able to display either the username and/or the computer name of the remote client trying to connect to these servers?
Thank you for your time. Needing help ASAP!