I setup an alert to notify me via email whenever an RDP event log is created.
This alert is working though what I am figuring out now is how to include the exact Source IP of that RDP session.
What's included in the alert is the "Network Address" of that endpoint.
e.g. I RDP in to 10.1xx.10.40, and it only shows the Network address in the alert; which is 10.1xx.10.1.
Here's the actual email alert:
This alert is about your Log Insight installation on https://x.x.x.x/
Log Insight found the following 1 event matching the criteria for alert "A successful Windows RDP login was detected":
Remote Desktop Services: User authentication succeeded:
Source Network Address: 10.1xx.10.1
Note: To avoid raising duplicate alerts, this alert will now be snoozed for the next 5 minutes (the search period for this alert).
I have been searching online and going through VRLI gui one section at a time (including the User alert settings), though I can't seem to find where to configure this.
Any assistance will be greatly appreciated!