Hi,
I want put an alert witch detect non authorized connection. In order to do that I have integrate some workstation logs. I want to know what users has been login on these workstations. So, I have 2 recomendations:
- I want target worksation impacted (for example, I want check connection only on HOSTNAME1, HOSTNAME2, HOSTNAME3. Not in HOSTNAME4)
- I want exclude normal user (for example, USER1 is authorized to log in HOSTNAME1)
Do you have any idea on how do to that?
I want to do that:
Event 4624 (Security) AND HOSTNAME IN $WATCHLIST(HOSTNAME) AND USERNAME NOT IN $WATCHLIST(USERNAME)
Thanks for your help.
Regards.
... View more