Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Account breached; How to detect inbound connections made via RDP?

TedMacD
Conversationalist
‎Jan 17 2022 1:46 PM
‎Jan 17 2022 1:46 PM

Account breached; How to detect inbound connections made via RDP?

Hi All,

 

Is there a filter, in the Meraki event logs, which would identify any/all connections that have been made via RDP?  A computer on the network in question was running RDP on the standard port via port forwarding, and I'm trying to determine if/when anyone was connecting to it via that method because a user's Gmail account was breached and I'm trying to figure out how that occurred when 2FA is enabled on the account. 

 

Wondering if somebody lucked out and came across the IP and subsequently found the workstation in an unlocked state.  Seems unlikely, but I'd like to track who's been connecting in.

 

Thanks in advance...

0 Kudos
Subscribe
2 Replies 2
TedMacD
Conversationalist
‎Jan 18 2022 8:34 AM
‎Jan 18 2022 8:34 AM

Meraki support advises me that RDP connections are not logged, which is unfortunate.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 18 2022 9:54 AM
‎Jan 18 2022 9:54 AM

Correct.  You would need to use a syslog server.

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv... 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.