Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

how to monitor failed rdp login activity for authorized user and wrong passowrd

Copper Contributor

how to monitor failed rdp login activity for authorized user and wrong passowrd as no Event Id 4625 is not generated for this condition

 

Event Id 4625 is generated for rdp activity for user not existing in AD.

 

We are collecting Domain Controller logs and target system logs in our sentinel workspace.

Can anyone suggest how i can monitor the above mentioned activity

2 Replies

@deepak198486 you should definitely be seeing event id 4625 generated on the machine you are trying to RDP to, I just tested it and can see a failed logon showing in Sentinel. You should also get an event id 4771 on a domain controller. Are you definitely ingesting all the events into Sentinel?

yes we are i even tested on my machine..The event id 4625 is not logged when authorized user with wrong password tries to rdp