Windows Remote Desktop Alarm


I would like to know if it is possible to create an alarm for the following scenario:

User A uses RDP to log on to Server A. Then user B logs on to Server B from Server A using RDP.

So the scenario is an attacker using one set of credentials to RDP to Server A and then does RDP from Server A to Server B using different credentials.

It is possible to log this? As I see it I need to be able to create variables in the search criteria, as in Server A IP address would need to be saved somehow and used in another query to figure out if other RDP sessions has been started from Server A to other servers, without for example 1 hour.

Is this possible?

Thanks in advance.

1 Like

he @jacmarpet

in the upcoming release 3.2 it will be possible to have a dynamic lookup table and so this kind of search/alert is possible.


Hello Jan,

Thank you very much for your answer. That sounds great :slight_smile:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.