6 Replies Latest reply on Jul 2, 2013 11:41 AM by kelkin

    nDepth Report for Interactive Logons

    kelkin

      I've been trying for weeks to get an nDepth report created that shows ONLY interactive logons to servers by domain admins; it seems no matter what I do I get too little or too much data... I haven't been able to get a solution for this from LEM support either, so while we work on this I figured I'd try posting here to see if anyone has done anything similar and can offer any suggestions as to report logic.

       

      To be clear, the goal is this: I want to know whenever any domain admin logs onto a server by RDP, physical server console, Citrix, etc..

       

      I've been playing with some reports filtering them on:

      User.Logon,DestinationAccount Contains Domain Admins

      AND

      UserLogon.LogonType = Windows: Interactive (this returns way too much)

       

      and various other Windows logon types..but nothing is returning what I want to see. I'm sure someone else must have written similar reports, anyone have any suggestions?

      -Keith

        • Re: nDepth Report for Interactive Logons
          Ram Esakky

          Hi kelkin,

           

          If you just want to see everything related to a specific user, try this:

          1. Open the LEM/SIM Console, and then log in as an administrator.
          2. Click the Explore, and then select nDepth. This should show you all of your alerts for the past 10 minutes.
          3. In the Refine Fields list on the left, find the user you're interested under User Name. If the user is not there, expand your search time frame.
          4. Drag the username into the search bar.
          5. Click Search (blue "play" button).
          6. Expand the time frame of the search as necessary.
          7. Follow the steps in here to export the results.

           

          If you have any other questions please do feel free to ask. Thank you

            • Re: nDepth Report for Interactive Logons
              kelkin

              Hi Ram,

              Thanks, but that isn't what I'm looking for. I don't want to weed through tons of events for a specific user. I want to generate a report each month that shows ONLY logins for domain admins on all servers we monitor. What I'm looking for is the best logic to use for an nDepth report that I can run each month which captures only the events which indicate when a domain admin has logged on interactively to a server's desktop.  I've gotten pretty close but not there yet.

              -Keith

                • Re: nDepth Report for Interactive Logons
                  nicole pauls

                  Honestly, it sounds to me like you ARE doing the right thing.

                   

                  UserLogon.DestinationAccount = <username(s) you're interested in>

                  AND

                  UserLogon.LogonType = Windows: Interactive

                   

                  Sample data includes "bubbajim" so that's what I've got here, and it did work as expected:

                   

                   

                  However, you should be aware that Windows interactive logons can also include "Remote Interactive" (RDP) and "Cached Interactive" (for when the logon is served with their cached creds instead of being sent on). For these purposes, you could search for:

                   

                  UserLogon.DestinationAccount = <username(s) you're interested in>

                  AND

                  UserLogon.LogonType = *Interactive*

                   

                  (The search turned orange in the search builder to argue with me about leading wildcards, but it did work as in returned expected results for both Windows: Interactive and Windows: Remote Interactive.)

                   

                  Here's what will help us narrow down where this is coming up short:

                  1. Start with a specific user, one that's in an AD group you can test with like Domain Admins - search for: UserLogon.DestinationAccount = username
                  2. Verify that user has an "Interactive" type logon (or remote interactive/cached interactive, just verify it) in the timeframe you're searching, then add that to your search: UserLogon.DestinationAccount = username AND UserLogon.LogonType = Windows: Interactive
                  3. Assuming you see what you expect, broaden the search to use the AD group that contains that same user, rather than the username: UserLogon.DestinationAccount = <AD group with that username in it> AND UserLogon.LogonType = Windows: Interactive

                   

                  Where does it stop working?

                    • Re: nDepth Report for Interactive Logons
                      kelkin

                      Hi Nicole,

                      RDP and cached logins are fine, thats actually what I want to see but the problem is that logic is returning so many other events which aren't actually interactive logons... I did come up with report logic that seems to give me exactly what I was looking for. I'll post it here so other people can benefit from it as well. What I did was filter out what I *don't* want to see and the remaining data is pretty much perfect.. instead of 15,000 events for a day I get 120 which is much more realistic. The purpose of this report is to audit when system admins log onto a server's desktop, I don't care about mapping to network drives or other types of connectivity.

                      -Keith

                      LEM.jpg

                        • Re: nDepth Report for Interactive Logons
                          nicole pauls

                          Well, that's another good approach I'm not sure why the Interactive bits weren't working right, but this works.

                           

                          Are you on 5.5 or 5.6?

                            • Re: nDepth Report for Interactive Logons
                              kelkin

                              We're on 5.4 actually which is another problem, my report logic keeps getting corrupted so I have to modify my report every time before I run it since some of the logic gets modified on its own.

                              Thanks, yeah the approach I took was that since no one could tell me what I needed to include and I didnt' want to inadvertently miss anything, I'd rather report on everything and filter out what I know I don't want to see. Once in a while a new event pops up I don't care to see so I'll add it to the report logic to filter out.. so far it seems to be working great, I'm sure there's a more efficient way to do this I just haven't figured it out yet.

                              -Keith