I have a client that has WSA installed on all their endpoints as well as their server.
There are roughly 10-20 simultaneous logged in users to the RDP server at any given time and we have gotten alerts that there was action taken against malware being executed on the server.
I have the alert setup to display the current user, but when they are logged into the RDP session, the alert comes through but doesn't show the logged in user in the alert email.
Is there a way to tell in the GSM or tweak the alert to show who is logged into the RDP server and triggered the malware alert?
Nerds On Site
Find Current User Who Triggered Alert logged into RDP Server
That should show in the WRData log on the machine itself (that's local to the server, not in the console). If you need help parsing it let me know and I can have support reach out to you.
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.