Forum Discussion
Alert on Successful RDP connections
While playing with log Queries in Sentinel, I found several RDP connections to my test machines and would like to know if these attempts were successful or no. I looked for messages such as "User Authentication succeeded" or event ID 1149 but couldn't find any. However in my sentinel logs I can see the following logs :
Am I missing something ?
For anyone else who is looking for this, the solution is to filter by Event in sentinel logs, after enabling Windows RDP logs under DATA => Windows Events Logs.
You can use the following query for test :Event
| where RenderedDescription
contains "A connection from the client computer with an IP address of"
and RenderedDescription contains "failed because the user name or password is not correct. "What do you mean by "Data => Windows Event Logs", where is that setting?
EDIT: found it: Azure Sentinel Workspaces / [workspace ] / Settings / Workspace Settings / Advanced Settings / Data
