VPN Login and RDP with differet users
This alert should be trigged on detecting a VPN login and RDC connection with a different user then the VPN user.
Data Sources Needed
- VPN Login events
- Windows Security log
Rule 1 - EventID isinList 1660049 / 1660009
Rule 2 - EventID = 4624 AND S9 = 10 AND UserName NOT = Rule No. 1 UserName
To export the alert settings, click on Alert Object above.