Advanced RDP Detection Engine Settings - How to exclude some Security Log Events from processing.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Share:

Table of Contents


Security Log Event ID 4625 overview

Windows Security Log Event ID 4625 is one of the key sources for RdpGuard in RDP brute-force detection routine.

This event logged for each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.

Some examples are: failed RDP attempts, failed connections to the network share or printer, these events may also mean that some local processes are failed to log-in, for example processes that require user elevation or scheduled tasks.

The sample event is below:

event id 4625 examlpe

Security Log Event ID 4625 Example

If you navigate to Event Details, XML View you may see Event XML:

event id 4625 XML

Security Log Event ID 4625 XML Example

For now RdpGuard doesn't analyze event details and doesn't differentiate logon types. All of them are marked as RDP in RdpGuard Dashboard.

But you may want to exclude some events from processing based on event details, for example to avoid blocking legitimate users when they can be defined via event details.

Starting from version 7.8.7 RdpGuard provides this possibility via the Exclusions feature.


Exclusions for RDP monitoring engine

To configure exclusions for RDP protocol

1. Start RdpGuard Dashboard and click the link next to RDP

rdp protection link

RDP Protection Link in RdpGuard Dashboard

An RDP Settings dialog will open:

exclusions link in rdp detection engine settings dialog

An Exclusions link in RDP Detection Settings Dialog

2. Click the Exclusions link at the bottom of the dialog

The RDP Exclusions dialog will open:

rdp exclusions dialog

RDP Exclusions Dialog

Here you can specify exclusion rules for Security Log Event ID 4625, please check the syntax below.


Exclusion Rules Syntax

Exclusion rules are set of key-value pairs with wildcards support. Each rule must start from the new line.

For example:

key[equality-operator]value,key[equality-operator]value
key[equality-operator]value,key[equality-operator]value
			
Supported equality operators are: = (equal) and != (not equal)

For example:

key1=value1, key2!=value2
key3=value3, key2=value4
key4=*value5
			
If event details match any of the rules, the event is skipped, i.e. the OR operator applies to the rules

Rule may contain any number of conditions separated by comma, the event matches the rule if all conditions are match, i.e. the AND operator applies to rule conditions.

So, the example above will be interpreted as - skip event if (key1 equals value1 and key2 not equals value2) OR (key3 equals value3 and key2 equals value4) OR (key4 ends with value5)

Supported keys are:

  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • TargetUserSid
  • TargetUserName
  • TargetDomainName
  • Status
  • FailureReason
  • SubStatus
  • LogonType
  • LogonProcessName
  • AuthenticationPackageName
  • WorkstationName
  • TransmittedServices
  • LmPackageName
  • KeyLength
  • ProcessId
  • ProcessName
  • IpAddress
  • IpPort
As you may note these are the nodes from the EventData section of 4625 event XML, please check node values for writing exclusion rules.

event id 4625 XML

Security Log Event ID 4625 XML Example

RdpGuard 7.9.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our Other Products
FastGlacier
Windows Client for Amazon Glacier - new low-cost storage for data archiving and backup.
Copyright © 2012-2022 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.