Event ID 312 — The user "EventInfo.Username", on client computer "EventInfo.IpAddress", has initiated an outbound connection.

Provider: Microsoft-Windows-TerminalServices-Gateway
Channel: Operational

Description

The user "EventInfo.Username", on client computer "EventInfo.IpAddress", has initiated an outbound connection. This connection may not be authenticated yet.

Message #

The user "%1", on client computer "%2", has initiated an outbound connection. This connection may not be authenticated yet.

Fields #

Name	Description
`EventInfo.Username`	—
`EventInfo.IpAddress`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-Gateway",
    "guid": "4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B",
    "event_source_name": "",
    "event_id": 312,
    "version": 0,
    "level": 0,
    "task": 3,
    "opcode": 30,
    "keywords": 4611686018427387904,
    "time_created": "2024-11-04T13:59:31.379210+00:00",
    "event_record_id": 86,
    "correlation": {
      "ActivityID": "7CF86876-882F-0625-F153-3DEC514DA0B2"
    },
    "execution": {
      "process_id": 1444,
      "thread_id": 2256
    },
    "channel": "Microsoft-Windows-TerminalServices-Gateway/Operational",
    "computer": "EC2AMAZ-6C3C9U6",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "user_data": {
    "EventInfo": {
      "Username": "Administrator",
      "IpAddress": "198.51.100.1:63920"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx