In addition to @13Cubed's response, you'll want to make sure your audit policy for Logon/Log off -> Other login/log off events is enabled for failed and successful events (ideally enforced through GPO in the default domain policy or a baseline Intune policy) if you want that log to be generated on the local system. Check your SIEM config to ensure those event types aren't being filtered.
There are dozens and dozens of remote support tools, each with their own artifacts and caveats. I will consider making future episodes covering some of them in the future.
Love learning new tidbits like this! Keep them coming!
How do you determine authorization failed?
Event ID 4825 is usually helpful there.
In addition to @13Cubed's response, you'll want to make sure your audit policy for Logon/Log off -> Other login/log off events is enabled for failed and successful events (ideally enforced through GPO in the default domain policy or a baseline Intune policy) if you want that log to be generated on the local system. Check your SIEM config to ensure those event types aren't being filtered.
Had the same question, thanks for asking!
Very informative and clear to understand. brilliant thanks
This is simply brilliant - thank you for this amazing video
what about dameware ?
There are dozens and dozens of remote support tools, each with their own artifacts and caveats. I will consider making future episodes covering some of them in the future.
This is great information - thanks!
Not complicated but very usefull. Thanks!