Sep 30 2021 12:54 AM
how to monitor failed rdp login activity for authorized user and wrong passowrd as no Event Id 4625 is not generated for this condition
Event Id 4625 is generated for rdp activity for user not existing in AD.
We are collecting Domain Controller logs and target system logs in our sentinel workspace.
Can anyone suggest how i can monitor the above mentioned activity
Oct 01 2021 06:01 PM
@deepak198486 you should definitely be seeing event id 4625 generated on the machine you are trying to RDP to, I just tested it and can see a failed logon showing in Sentinel. You should also get an event id 4771 on a domain controller. Are you definitely ingesting all the events into Sentinel?
Oct 04 2021 11:04 PM - edited Oct 04 2021 11:06 PM
yes we are i even tested on my machine..The event id 4625 is not logged when authorized user with wrong password tries to rdp