Overview: In this article, we will review how to permit auditing logon events on your Windows endpoints and receive an alert in Atera whenever a successful remote login event has occurred. The alert will include the source’s IP Address, Port and User.
First, you need to make sure that auditing logon attempts is enabled on the endpoint. If it is, you can skip to Step 4.
The auditing logs can be enabled remotely as shown below or you can proceed to Step 1 to enable them manually.
You can use the following command line for listing auditing policy settings:
auditpol /get /category:*
Also, you can enable the Audit Logon events remotely using this command:
auditpol /set /subcategory:Logon /success:enable
Time estimated to complete this procedure: 5-10 minutes
Step 1: Access your Windows endpoint. Click on WinKey+R on your keyboard. Enter gpedit.msc and click OK.
Step 2: Go to the following path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Step 3: Double-click on Audit logon events
It will open a window called Audit logon events Properties. Mark the Success checkboxes and click OK.
Step 4: Go to app.atera.com > Admin > Scripts > Shared Script Library:
Step 5. Search for the script named Create Alert When Remote Connection Occurs (you can use the Script Name box to filter the results):
Step 6. Click on Clone to copy the script to My Scripts:
You will now find the script under 'My Scripts' named 'Create Alert When Remote Connection Occurs copy)':
Note: Ensure to edit the script and enter your Atera API key on line 26.
Step 7: Go to the Agent console > Manage > Run Script and choose the script you cloned at Step 6.
Step 8: In your PC's start menu, open the Task Scheduler.
Click on the Task Scheduler Library and select Create Task on the right side.
Step 9: Fill out the General tab with the name of this new task. Check the Run with highest privileges. Change the user to Administrator and choose the “Run whether user is logged or not”.
Step 10: Click the Triggers tab. Click New. And in the drop-down list Begin the Task, select On an Event and choose Basic.
For Log choose Security. For Source choose Microsoft Windows security auditing. In the Event ID field, add 4624.
Step 11: Next, click on the Actions tab. Click New. In the Program field, type Powershell.exe. In the Add Arguments box, add:
-windowstyle hidden C:\RemoteLoginAlert.ps1
Enter any Conditions and Settings that you require and click OK to create the Scheduled Task.
Step 12: Verify the script. Connect to a device remotely. Navigate to that device in the Atera console. You will see an Information alert that a remote connection has occurred with the following information: IP address, port and user.