I would like to know if it is possible to create an alarm for the following scenario:
User A uses RDP to log on to Server A. Then user B logs on to Server B from Server A using RDP.
So the scenario is an attacker using one set of credentials to RDP to Server A and then does RDP from Server A to Server B using different credentials.
It is possible to log this? As I see it I need to be able to create variables in the search criteria, as in Server A IP address would need to be saved somehow and used in another query to figure out if other RDP sessions has been started from Server A to other servers, without for example 1 hour.
Is this possible?
Thanks in advance.