A while back I got a request from the security department, they wanted to know when someone sign onto the file print servers using an RDP connection – remote desktop. Seeing that we already have ACS deployed and these events is already stored in a database it was real easy to pull this information out of the ACS databases. What they however wanted was to be email in real-time when this happened, someone sign onto a file and print server. One approach to get this done was to use the WMI and the SCOM management group.
Choose a destination management pack different from the “Default Management Pack” and click on “Next”
On the next screen give the rule a name, as a best practise I also use “Custom – ” in front of any rules that i create, it makes the searching for rules easier.
The rule category must be “Alert” as we will create an alert
Here comes the important bit: The Rule Target must “Microsoft Audit Collection Services Collector”, the WMI query will run against the WMI namespace on the ACS collector server as that is where all security events from the forwarders is forwaded to
On the WMI Configuration screen you will need to specify the WMI Namespace and also the Query
The namespace must be “root\default”
The query in my case is “SELECT * FROM AdtsEvent WHERE EventId=528 and String01=’10′”
Security Event 528 is when a account succesfully logs onto a computer
Now String01 is the more difficult part, the value 10 refers to the LogonType and 10 equals RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) logon type and this is what i need.
An easy way to find out what the different strings are that ACS breaksup a security event is to run a select statement agains the ACS database server for all events with id 528
Select * from AdtServer.dvAll where eventid=528
This query will then return all the events and you can see the fields and what database columns they are stored in
On the Configure Alerts screen you need to create and specify the alert description and alert name
The alert description allows you to custom-define what you want the alert to say. In my case i used
The User: $Data/EventData/DataItem/Property[@Name=’PrimaryDomain’]$\$Data/EventData/DataItem/Property[@Name=’PrimaryUser’]$ signed onto server: $Data/EventData/DataItem/Property[@Name=’String04′]$ using an RDP session from IP Addres: $Data/EventData/DataItem/Property[@Name=’String02′]$
The fields above is reference like that, if you run the query against the ACS database server you can substitute the SQL columns for the values in ‘ ‘ quotes to get that information into the alert description.
I left all other fields default and clicked Create.
Example of alert in the console