STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Systems must be monitored for remote desktop logons.

DISA Rule

SV-56535r4_rule

Vulnerability Number

V-43714

Group Title

AD.AU.0003

Rule Version

AD.AU.0003

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 10 (RemoteInteractive)
Authentication Package Name = Negotiate

Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.

The "Remote Desktop Logon Detection" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides a sample query for filtering.
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm.

Check Contents

Verify Remote Desktop logins are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below. If these events are not monitored, this is a finding.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 10 (RemoteInteractive)
Authentication Package Name = Negotiate

Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.

Systems must be monitored for remote desktop logons.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments