EventSentry Cookbook II

Part 2: User Information

Note: This applies to EventSentry version 3.5.1.32

HOW TO:

Find a stale RDP session on a server that is locking out an account:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on the Terminal Services Logons report in the HIPAA section (or click Run, on the right side)
  • The Search filter will already have type:”Terminal Services” in it. Add the following after a space: AND user:<domain>\<username> to filter for a specific user
  • Any session still logged in will show “still logged on…” in the Logout column

Produce a report that shows all logon events for a specified user ID:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on Account Authentication Analysis (bottom of the HIPAA section)
  • Click the Detailed button in upper left
  • The Search filter will already have computertype:”Terminal Services” in it. Add the following after a space: AND account:<username> to filter for a specific user

See a top 20 list of both successful and failed logons:

  • Open the EventSentry Web reports and log in
  • Navigate to Dashboard -> Overview -> User Activity
  • Click on a server’s tile to view its statistics on the left side

See all user lockouts over a given time period:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on User Account Lockouts (middle of the NIST 800-171 section)
  • Adjust the time range in the upper right

Leave a Reply

Your email address will not be published. Required fields are marked *