1E Verified
Copyright © 1E 2022 All Rights Reserved
User Login Events
Downloads
120
Endorsements
14
Components
7
Added
1 year ago
Last Updated
9 months ago
Compatibility
Client Supported - 23.7, 8.1, 8.2, 8.4, 9.0
OS Supported - Microsoft Windows 11, 10
OS Supported - Microsoft Windows 11, 10
Description
This DEXPack (formerly Product pack) contains Endpoint Automation policy (formerly Guaranteed State), rules and instructions that provide the user data inventory which contains the information about the user logged onto the devices.
Key Features
- Get list of active interactive Windows login details.
- Get the logon event details for a particular user.
- Fixes the issue where the Device logs off right away after login by resetting the Run or RunOnce registry keys.
Setup
- Upload this DEXPack with the help of Product Pack Deployment Tool.
- An Endpoint Automation Policy named User login - Store the user login will be created.
- An Endpoint Automation Rule Store the user login will be created in this policy.
Usage
- Review the User login - Store the user login rule.
- The precondition ensures that the rule is executed only on Windows devices.
- Adjust the debounce as per your requirement this will pause the rule evaluation if it is evaluated within the specified number of debounce seconds.
- Check will identity the logon event ID 4624 from Windows security event log and store the information.
Note: - Checks are performed and stored only for the below logon types for event ID 4624.
| LogonType | Description |
|---|---|
| 2 | Interactive (Logon locally) |
| 3 | Network (NET USE, RPC calls etc) |
| 10 | RemoteInteractive (Remote Desktop) |
| 11 | CachedInteractive (logon with cached domain credentials) |
Reports
Reports will start generating a few days after policy is deployed and can be viewed in Endpoint Automation application portal. Below is the device state definition information as per their state.
- Compliant state represents policy has been deployed and login information will be stored on logon event.
- Not applicable are devices that are running on non-windows OS.
- Unknown are devices yet to report their state.
Instruction
“Get the user <UserName> logon history. Type for % all users." provides the results of logon event for username provided or use % to fetch data for all users.
“Display failed logon event details for user %User% and logon type %LogonType% for past %DayCount% days.” Displays failed logon information stored in windows event logs.
“What interactive Windows logins are active/inactive? “Provides information of user logon state.
“Apply fix for issue where PC logs off right away on login” fixes the issue where the PC logs off right away after logon.
“List all users logged on since %startDate% with a stagger of %limitSecs% seconds” Provides List all the users who have logged on for a duration after a specified start date. Inventory module needs to be enabled.
Components
1E-Exchange-Get-UserlogonHistory
INSTRUCTION
Description
Fetch the data from local storage stored by the rule to "User login - Store the user login " based on 4624 event.
Readable Payload
Get the user %UserName% logon history. Type % for all users.
1E-Exchange-GetFailedLogonEventDetails
INSTRUCTION
Description
Show failed logon event details corresponding to event id = 4625 for specified user filtered by specified no of days.
Readable Payload
Display failed logon event details for user %User% and logon type %LogonType% for past %DayCount% days.