I have an analysis that is looking to see when RDP is active by using this relevance …
if exists (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and (tcp state of it as string = “ESTABLISHED”)) Then “Active” else "Not in use
this is set for “Every Report”)
I have a web reports that uses various elements from this analysis but I would like to have the web report trigger whenever RDP becomes Active and email the report…
Im not sure what the relevance should be. th eID of the Analysis is 00-319666 .
Any insite into this part of the Report trigger relevance would be much appreciated…
Thanks
Perhaps I should Clarify… When I create the web report, I would like it to fire an email off when RDP is in use …There is little documentation that I can find for the structure and use of the relevance within the trigger section of the web report…
Hi Pete. I also struggled with setting up a scheduled email for webreports. If there is good documentation, I haven’t found it yet. But this is how I solved a similar issue:
First, create a web report to show computers that show an Active result for your analysis. I set up your analysis on my lab, but we use Bomgar instead of RDP so that’s why I have no computers in the results:
Then go to Web Reports and select Administration > Create scheduled activity. These are the fields I check:
Type: Report (select your RDP report that you saved previously)
Format: HTML
Generate report on every refresh
Send email/store archive only when report has changed
Fill out the email section as you see fit (I check “Include report output”)
That’s it, then I click Submit and get an email whenever the report changes. In your case, you should get an email whenever the analysis results change and something becomes / drops out of Active RDP status.
I thought it was weird that I didn’t have to use the “Match Relevance conditions” box, that really threw me off initially. If I recall correctly, Adam Rodgers from IBM helped me out with this method when he was visiting my company (Thanks @AJRodgers!). I would also love to hear from anyone who knows more about this. But this is what I am currently doing.
Perfect Sean… That does the trick… Many thanks…
That RDP checking is part of a larger security analysis that I created that looks for firewall, RDP, FTP, telnet. file and printer sharing, SQL, IIS, Apache. Java versions etc…
cheers…
Pete
