Find Current User Who Triggered Alert logged into RDP Server

  • 27 June 2016
  • 1 reply
  • 19 views

Userlevel 7
Badge +33
Hey All,
 
I have a client that has WSA installed on all their endpoints as well as their server.
 
There are roughly 10-20 simultaneous logged in users to the RDP server at any given time and we have gotten alerts that there was action taken against malware being executed on the server.
 
I have the alert setup to display the current user, but when they are logged into the RDP session, the alert comes through but doesn't show the logged in user in the alert email.
 
Is there a way to tell in the GSM or tweak the alert to show who is logged into the RDP server and triggered the malware alert?
 
Thanks
John
Nerds On Site

1 reply

Userlevel 7
Badge +56
That should show in the WRData log on the machine itself (that's local to the server, not in the console). If you need help parsing it let me know and I can have support reach out to you.

Reply