cancel
Showing results for 
Search instead for 
Did you mean: 

How to tracking user log-on/off

Jump to solution

Dear all,

I want to tracking the log-on/off in computer use "Automatic Responses" feature. For example: user "A" have the computer "B", if another user log-on/off in computer B, send email warning to me.

So I need config or what product of McAfee apply to client to do it..

Please advise and help me. Thank you very much!

1 Solution

Accepted Solutions
Highlighted

Re: How to tracking user  log-on/off

Jump to solution

Absolutely.

There are a couple of way to go about it. If you want to utilize ePO however try the following, as I have on multiple occasions

( Utilize Tagging)

1. after you gain the paremters, Usernames, host names etc. Create a tag in ePO

2. Go into the SIEM, and create an alarm, which has a trigger of an signature ID, or correlation rule that state, when bob logs on to hostA, while user mary is logged on, assign the ePO tag and send me an email.

3. Take it farthur, by, running a script (powershell or whatever), and solicit all forensic info from the host of both Host machines. I use POSH

http://www.powershellmagazine.com/2014/07/03/posh-ssh-open-source-ssh-powershell-module/

PoshSec | The official website of PoshSec and the PoshSec Framework

4 Replies

Re: How to tracking user log-on/off

Jump to solution

As I currently understand it, I don't think you can do this with ePO/MAgent?  I've had a look through the client Event IDs this morning and cannot see any that would be triggered for user login events.

Re: How to tracking user log-on/off

Jump to solution

ePO was never intended to be a AD or some sort of SIEM for tracking event information like that. You'd be better off trying to use SCCM or if your organization has a SIEM to collect the log information and query for it from there.

However, you might be able to do this through ePO.. I see event IDs:

20789: User Logged On

20790: User Logon Failed

20791: User Logged Off

You might be able to setup some tracking for that and use those IDs for automatic responses, but again, there are more efficient methods than using ePO if available to you.

Re: How to tracking user log-on/off

Jump to solution

Hi ,

Thank you for your reply,

So to tracking event IDs, I need install Solidcore to client, right?

Highlighted

Re: How to tracking user  log-on/off

Jump to solution

Absolutely.

There are a couple of way to go about it. If you want to utilize ePO however try the following, as I have on multiple occasions

( Utilize Tagging)

1. after you gain the paremters, Usernames, host names etc. Create a tag in ePO

2. Go into the SIEM, and create an alarm, which has a trigger of an signature ID, or correlation rule that state, when bob logs on to hostA, while user mary is logged on, assign the ePO tag and send me an email.

3. Take it farthur, by, running a script (powershell or whatever), and solicit all forensic info from the host of both Host machines. I use POSH

http://www.powershellmagazine.com/2014/07/03/posh-ssh-open-source-ssh-powershell-module/

PoshSec | The official website of PoshSec and the PoshSec Framework

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community