I need to create a Rule where i can track the Consecutive Remote Desktop activity,
If a user Login to a Server using RDP and Consecutively logs into a another server from that same server using a RDP again, means "Remote session from a server and then one more Remote Session from that Remote session.
server > Remote destop then another > Remote desktop> then another.
i need to track this.
I tried to create a ESA rule but it stuck on one place it is tracking all activity from a same user.dst but only for single server, but if a user takes a another session from a remote session itself it will change the destination server in logs, that i am not able to track in a "followed by" Rule.
Thanks in Advance. \m/
Result also attached in Attachment --- here you will see that same destination server is tracked for both of the time but i want to track the second remote session from a remote session, hence second remote session will change the second destination IP.