Windows Remote Desktop Logon Detection
Remote Desktop account activity events are not easily identifiable using the Event Viewer GUI. When an account remotely connects to a client, a generic successful logon event is created. A custom Query Filter can aid in clarifying the type of logon that was performed. The query below shows logins using Remote Desktop. Remote Desktop activity should be monitored since only certain administrators should be using it, and they should be from a limited set of management workstations. Any Remote Desktop logins outside of expected activity should be investigated.The XPath queries below are used for the Event Viewer’s Custom Views. Event ID 4624 and Event ID 4634 respecively indicate when a user has logged on and logged off with RDP. A LogonType with the value of 10 indicates a Remote Interactive logon.
Related Solution
AIS Managed SIEM
Explore our Solutions
Organizations are constantly faced with the challenge of adopting new technologies while safeguarding against potential security threats. The need for robust IT solutions has never been more pressing.

AIS Labs
AIS offers a variety of technology solutions leveraging enterprise open-source software, developed and maintained by AIS engineers. These include AIS Managed Firewall, NMS, SIEM, and VoIP.