Name: Analyzing Bluekeep Rdp Event Logs
Author: fuyu12345

When to Use

Minimal Reliable Workflow

Load all three context files first: IOC list, normal patterns, and system inventory.
Parse logs structurally (SRC_IP, DST_IP, RDP_VERSION, CHANNELS, RESULT, NOTES), not with loose substring-only greps.
Build high-confidence exploit-attempt events by requiring multiple BlueKeep-consistent traits together (e.g., legacy RDP + ms_t120/MS_T120_BIND + anomaly notes), then subtract normal-pattern traffic.
Count vulnerable targeted systems as:
unique(DST_IP in exploit attempts) ∩ unique(unpatched inventory IPs).
Determine attack sources conservatively: report only sources supported by strong, repeated exploit-pattern evidence. Do pad the list to max allowed length when confidence is low.

Load all three context files first: IOC list, normal patterns, and system inventory.
Parse logs structurally (SRC_IP, DST_IP, RDP_VERSION, CHANNELS, RESULT, NOTES), not with loose substring-only greps.
Build high-confidence exploit-attempt events by requiring multiple BlueKeep-consistent traits together (e.g., legacy RDP + ms_t120/MS_T120_BIND + anomaly notes), then subtract normal-pattern traffic.
Count vulnerable targeted systems as:
unique(DST_IP in exploit attempts) ∩ unique(unpatched inventory IPs).
Determine attack sources conservatively: report only sources supported by strong, repeated exploit-pattern evidence. Do pad the list to max allowed length when confidence is low.