Home

Alert on Successful RDP connections

%3CLINGO-SUB%20id%3D%22lingo-sub-643359%22%20slang%3D%22en-US%22%3EAlert%20on%20Successful%20RDP%20connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643359%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20playing%20with%20log%20Queries%20in%20Sentinel%2C%20I%20found%20several%20RDP%20connections%20to%20my%20test%20machines%20and%20would%20like%20to%20know%20if%20these%20attempts%20were%20successful%20or%20no.%26nbsp%3B%20I%20looked%20for%20messages%20such%20as%20%22User%20Authentication%20succeeded%22%20or%20event%20ID%201149%20but%20couldn't%20find%20any.%26nbsp%3BHowever%20in%20my%20sentinel%20logs%20I%20can%20see%20the%20following%20logs%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20492px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F115914i5DE1A64C513ED507%2Fimage-dimensions%2F492x80%3Fv%3D1.0%22%20width%3D%22492%22%20height%3D%2280%22%20alt%3D%22RDP_Logs.JPG%22%20title%3D%22RDP_Logs.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20missing%20something%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-655531%22%20slang%3D%22en-US%22%3ERe%3A%20Alert%20on%20Successful%20RDP%20connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-655531%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20anyone%20else%20who%20is%20looking%20for%20this%2C%20the%20solution%20is%20to%20filter%20by%20%3CSTRONG%3EEvent%3C%2FSTRONG%3E%26nbsp%3B%20in%20sentinel%20logs%2C%20after%20enabling%20Windows%20RDP%20logs%20under%3CSTRONG%3E%20DATA%20%3D%26gt%3B%20Windows%20Events%20Logs.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSTRONG%3EYou%20can%20use%20the%20following%20query%20for%20test%20%3A%26nbsp%3B%3CSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CPRE%3E%3CSPAN%3EEvent%20%3CBR%20%2F%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20RenderedDescripti%3C%2FSPAN%3E%3CSPAN%3Eon%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22A%20connection%20from%20the%20client%20computer%20with%20an%20IP%20address%20of%22%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20RenderedDescripti%3C%2FSPAN%3E%3CSPAN%3Eon%3C%2FSPAN%3E%20%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22failed%20because%20the%20user%20name%20or%20password%20is%20not%20correct.%20%22%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
The_sec_guy12165
New Contributor

While playing with log Queries in Sentinel, I found several RDP connections to my test machines and would like to know if these attempts were successful or no.  I looked for messages such as "User Authentication succeeded" or event ID 1149 but couldn't find any. However in my sentinel logs I can see the following logs : 

RDP_Logs.JPG

 

Am I missing something ? 

1 Reply

For anyone else who is looking for this, the solution is to filter by Event  in sentinel logs, after enabling Windows RDP logs under DATA => Windows Events Logs. 
You can use the following query for test : 

Event 
|
where RenderedDescription
contains "A connection from the client computer with an IP address of"
and RenderedDescription contains "failed because the user name or password is not correct. "

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies