• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 22 subscribers
  • Views 557 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Filters for Specific Use Cases. Please advise!

ltran

Hello,

I am trying to create filters that help displaying RDP traffic information (Remote user logon and logoff), Workstation logon and logoff, administrative use, and SMB (when users access shared drives, folders, and files).

Please advise!

Thank you very much for your time and effort!

  • 0

    RDP traffic information (Remote user logon and logoff) - There is an out of the box filter called 'Remote User Logons'. It is based on UserLogon.LogonType=*Remote*

    Workstation Logon/Logoff - Windows does not generate a specific Event ID for workstation authentication. You would need to create a user defined group which contains all your workstations. You can then create a filter for UserLogon.SourceMachine = Workstations (your user defined group).

    Administrative Use - You can create a filter to show all administrative logon, UserLogon.SourceAccount=*admin* (or integrate to your Domain Admins group in AD to capture authentication from any user within that group).

    Users accessing drives/folders/files: LEM's File Integrity Monitoring may assist with this use case. There is an out of the box filter called 'All File Audit Activity'. You can adjust this filter to capture specific file types, file names, usernames, etc.

  • 0 in reply to jhynds

    Thank you very much.

    About RDP logging,  how can when a user logs off or disconnects from the remote computer?

    I tried UserLogoff.LogonType = *Remote*, but that did not work.

    Thank you very much!

  • 0 in reply to ltran

    *I couldnt edit the previous reply*

    I also want to know if there are documentations I can read to learn about all the events and event groups in Filter Creation.

  • 0 in reply to ltran

    Could you send me a screenshot of your filter conditions?

    UserLogoff.LogonType = *remote* should work:

    Screenshot 2019-01-17 at 11.36.04.png

  • 0 in reply to jhynds

    Thank you for your time.

    I got it working. It was me. I disconnected the remote session instead of signing out = logging off. Therefore, the events did not report into LEM.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.