IBM Security QRadar

Checking user action in password manager and RDP

  • 1.  Checking user action in password manager and RDP

    Posted Tue August 25, 2020 03:03 AM
    HI Everyone

    We have password management system(PMS) store all admin password, the user normally needs to retrieve the password from PMS then RDP to the server. I want to detect the user who logs in the server without retrieving the password from PMS.

    I find this condition in rule wizard "and when these rules match at least this many times in this many minutes after any of these rules match" and I want to make sure the windows logon event username is same as the password retrieve event, any suggestion on how to compare these two fields in two event? is the "this property equal this property" condition works from my situation?

    Or is there any other suggestion on how to implement this?

    Thank you for your help

    ------------------------------
    Linsong Guo
    ------------------------------