User login activity for servers

TonicXsonic

Hi, I would like to know if there is a way to create an alert when there is a user to log in from the managed device. So far i don't see any option in the threshold setting for this.

nathan

I haven't tried it - but perhaps create a threshold profile and look for this event ID 4264 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events The trouble is you probably want to filter it where LogonType=2 and atera does not support that.

You might be able to use a custom script instead attached to a threshold profile to achieve that, something like

taken from https://theposhwolf.com/howtos/Get-LoginEvents/

Get-WinEvent -FilterHashtable $filterHt | foreach-Object {
    [pscustomobject]@{
        ComputerName = $ComputerName
        UserAccount = $_.Properties.Value[5]
        UserDomain = $_.Properties.Value[6]
        LogonType = [LogonTypes]$_.Properties.Value[8]
        WorkstationName = $_.Properties.Value[11]
        SourceNetworkAddress = $_.Properties.Value[19]
    }
}
#output
echo 1

and then raise an alert if your script outputs a 1 or something.

Sorry I cannot give you an exact answer, but I hope that this helps.