Skip to content

VPN Login and RDP with differet users

Alert Purpose

This alert should be trigged on detecting a VPN login and RDC connection with a different user then the VPN user.

Data Sources Needed

  • VPN Login events
  • Windows Security log


  1. Rule 1 - EventID isinList 1660049 / 1660009

  2. Rule 2 - EventID = 4624 AND S9 = 10 AND UserName NOT = Rule No. 1 UserName

Alert Object

To export the alert settings, click on Alert Object above.