Windows Remote Desktop Alarm

jacmarpet · December 16, 2019, 8:56am

Hello,

I would like to know if it is possible to create an alarm for the following scenario:

User A uses RDP to log on to Server A. Then user B logs on to Server B from Server A using RDP.

So the scenario is an attacker using one set of credentials to RDP to Server A and then does RDP from Server A to Server B using different credentials.

It is possible to log this? As I see it I need to be able to create variables in the search criteria, as in Server A IP address would need to be saved somehow and used in another query to figure out if other RDP sessions has been started from Server A to other servers, without for example 1 hour.

Is this possible?

Thanks in advance.

jan · December 16, 2019, 9:52am

he @jacmarpet

in the upcoming release 3.2 it will be possible to have a dynamic lookup table and so this kind of search/alert is possible.

jacmarpet · December 16, 2019, 10:38am

Hello Jan,

Thank you very much for your answer. That sounds great

system · December 30, 2019, 10:38am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Single Login, Multple IP addresses Graylog Central (peer support)	3	738	October 22, 2018
Finding if a users IP changes Graylog Central (peer support)	2	660	October 6, 2021
Create an alert that triggers on changing IP Graylog Tech Challenges	2	478	July 23, 2021
Monitoring Active SSH/RDP Sessions Graylog Central (peer support)	1	2111	August 16, 2019
User logged on to multiple machines, alert Graylog Central (peer support)	2	370	October 24, 2017

Windows Remote Desktop Alarm

Related topics