We have a requirement to track users that open logon via citrix and then go on to RDP to servers on our environment with admin accounts which are basically their nomal accounts with an a at the end, The two logon events can be seen separately but we are not able to create a correlation rule to link them
@David1111's solution will work. But, might not catch an edge case where; what if for example, I login with my user credentials, then I RDP to a server with YOUR admin credentials?
@jassimsaf: I am going to assume your Cirtix servers are not single user, but multiple users can be logged into them and be presented desktops concurrently?
This can present a problem as it is hard to know what user is logging in from their Citrix session to other machines, using ip addressing. To make a correlation rule such as this you are going to need to incorporate more than just Windows logon events.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.