Splashtop-Splashtop Streamer-Remote Session

16 events across 1 channel

Event	Title	Channel	Sample
1000	A Splashtop remote session (Session_ID) has started to this computer by SPID …	Operational	N
1001	The Splashtop remote session (Session_ID) has ended.	Operational	N
1100	A file was transferred during the Splashtop remote session (Session_ID).	Operational	N
1101	A file was transferred during the Splashtop remote session (Session_ID).	Operational	N
1110	A file was transferred during the Splashtop remote session (Session_ID).	Operational	N
1111	A file was transferred during the Splashtop remote session (Session_ID).	Operational	N
1200	The user SPID enabled blank Screen during the Splashtop remote session …	Operational	N
1201	The user SPID disabled blank Screen during the Splashtop remote session …	Operational	N
1300	The user SPID triggered Normal Reboot during the Splashtop remote session …	Operational	N
1310	The user SPID triggered Safe Mode Reboot during the Splashtop remote session …	Operational	N
1500	The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote …	Operational	N
1501	The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote …	Operational	N
1600	The user SPID has changed to a different session during the Splashtop remote …	Operational	N
1700	The user SPID enabled Device Redirection during the Splashtop remote session …	Operational	N
1701	The user SPID disabled Device Redirection during the Splashtop remote session …	Operational	N
1710	The user SPID enabled Remote Microphone during the Splashtop remote session …	Operational	N

Event ID 1000: A Splashtop remote session (Session_ID) has started to this computer by SPID from the device SRC_Name.

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A Splashtop remote session (Session_ID) has started to this computer by SPID from the device SRC_Name.

Message #

A Splashtop remote session (%1) has started to this computer by %2 from the device %3.

App version: %4

Fields #

Name	Description
`Session_ID` UnicodeString
`SPID` UnicodeString
`SRC_Name` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1001: The Splashtop remote session (Session_ID) has ended.

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The Splashtop remote session (Session_ID) has ended. The remote session lasted Duration_Time.

Message #

The Splashtop remote session (%1) has ended. The remote session lasted %2.

App version: %3

Fields #

Name	Description
`Session_ID` UnicodeString
`Duration_Time` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1100: A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: N/A

Fields #

Name	Description
`Session_ID` UnicodeString
`Version_number` UnicodeString
`File_Name` UnicodeString
`SRS_Name` UnicodeString
`SRS_Path` UnicodeString
`SRC_Name` UnicodeString
`SRC_Path` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1101: A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error cod: N/A

Fields #

Name	Description
`Session_ID` UnicodeString
`Version_number` UnicodeString
`File_Name` UnicodeString
`SRC_Name` UnicodeString
`SRC_Path` UnicodeString
`SRS_Name` UnicodeString
`SRS_Path` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1110: A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: %8

Fields #

Name	Description
`Session_ID` UnicodeString
`Version_number` UnicodeString
`File_Name` UnicodeString
`SRS_Name` UnicodeString
`SRS_Path` UnicodeString
`SRC_Name` UnicodeString
`SRC_Path` UnicodeString
`Error_code` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1111: A file was transferred during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

A file was transferred during the Splashtop remote session (Session_ID).

Message #

A file was transferred during the Splashtop remote session (%1).

App version: %2

File name: %3

From: %4 (%5)

To: %6 (%7)

Error code: %8

Fields #

Name	Description
`Session_ID` UnicodeString
`Version_number` UnicodeString
`File_Name` UnicodeString
`SRC_Name` UnicodeString
`SRC_Path` UnicodeString
`SRS_Name` UnicodeString
`SRS_Path` UnicodeString
`Error_code` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1200: The user SPID enabled blank Screen during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled blank Screen during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled blank Screen during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1201: The user SPID disabled blank Screen during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled blank Screen during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled blank Screen during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1300: The user SPID triggered Normal Reboot during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID triggered Normal Reboot during the Splashtop remote session (Session_ID).

Message #

The user %1 triggered Normal Reboot during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1310: The user SPID triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID triggered Safe Mode Reboot during the Splashtop remote session (Session_ID).

Message #

The user %1 triggered Safe Mode Reboot during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1500: The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Lock Keyboard and Mouse during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1501: The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled Lock Keyboard and Mouse during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled Lock Keyboard and Mouse during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1600: The user SPID has changed to a different session during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID has changed to a different session during the Splashtop remote session (Session_ID).

Message #

The user %1 has changed to a different session during the Splashtop remote session (%2).

App version: %3

To: %4

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString
`Terminal_Session_ID` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1700: The user SPID enabled Device Redirection during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Device Redirection during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Device Redirection during the Splashtop remote session (%2).

App version: %3

Source: %4



Device info

Product name: %5 (%6)

Manufacturer: %7 (%8)

Serial number: %9

VendorID: %10

ProductID: %11

Class type: %12 (%13)

Sub-class type: %14 (%15)

Protocol: %16 (%17)

Device version: %18

Usb version: %19

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString
`Reason` UnicodeString
`Product_Name` UnicodeString
`Mounted_Product_Name` UnicodeString
`Manufacturer` UnicodeString
`Mounted_Manufacturer` UnicodeString
`Serial_Numver` UnicodeString
`Vendor_ID` UnicodeString
`Product_ID` UnicodeString
`Class_Type` UnicodeString
`Mounted_Class_Type` UnicodeString
`SubClass_Type` UnicodeString
`Mounted_SubClass_Type` UnicodeString
`Protocol` UnicodeString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Mounted_Protocol` UnicodeString
`Device_Version` UnicodeString
`USB_Version` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1701: The user SPID disabled Device Redirection during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID disabled Device Redirection during the Splashtop remote session (Session_ID).

Message #

The user %1 disabled Device Redirection during the Splashtop remote session (%2).

App version: %3

Source: %4



Device info

Product name: %5 (%6)

Manufacturer: %7 (%8)

Serial number: %9

VendorID: %10

ProductID: %11

Class type: %12 (%13)

Sub-class type: %14 (%15)

Protocol: %16 (%17)

Device version: %18

Usb version: %19

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString
`Reason` UnicodeString
`Product_Name` UnicodeString
`Mounted_Product_Name` UnicodeString
`Manufacturer` UnicodeString
`Mounted_Manufacturer` UnicodeString
`Serial_Numver` UnicodeString
`Vendor_ID` UnicodeString
`Product_ID` UnicodeString
`Class_Type` UnicodeString
`Mounted_Class_Type` UnicodeString
`SubClass_Type` UnicodeString
`Mounted_SubClass_Type` UnicodeString
`Protocol` UnicodeString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Mounted_Protocol` UnicodeString
`Device_Version` UnicodeString
`USB_Version` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

Event ID 1710: The user SPID enabled Remote Microphone during the Splashtop remote session (Session_ID).

Provider: Splashtop-Splashtop Streamer-Remote Session
Channel: Operational

Description

The user SPID enabled Remote Microphone during the Splashtop remote session (Session_ID).

Message #

The user %1 enabled Remote Microphone during the Splashtop remote session (%2).

App version: %3

Fields #

Name	Description
`SPID` UnicodeString
`Session_ID` UnicodeString
`Version_number` UnicodeString

Community Notes #

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)