Enabling an RDP connection is not logged in EDR
Article ID: 196022
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
RDP enabling/disabling events are not properly reported by EDR.
Setting fDenyTSConnections to 1 which disables RDP is wrongly reported in "EDR as RDP Enable"
Setting fDenyTSConnections to 0 which enables RDP is not reported at all
Cause
This issue is caused by how SEP generates these logs
Resolution
The IntelliFilter rules included in SEP client 14.3 includes an updated rule which detects enabling RDP, instead of disabling RDP.
Feedback
Yes
No
Powered by
