How to make a automatical notification for RDP
Why I want to set a notification?
As before, I make notification for ssh on Linux server. Then I had a windows server. For safety concern, I create a script for RDP notification.
How to deploy
In case of release your critical information, you need to create a webhook url for notification by deploying PrometheusAlert. In order to get physical address of ip address, you also need to download nali. And download geoip database for English support (In some old version of powershell, Chinese font is not supported well.)
Create a powershell. For me, I name it as RDP_email.ps1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$event = get-winevent -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 1
$connection=Get-NetTCPConnection | Where-Object { $_.LocalPort -eq 3389 -and $_.State -eq 'Established'} -OutVariable conn
$remote_port= $conn.RemotePort
$ip=$conn.RemoteAddress
$hostname = $event.Properties[1].Value.TrimEnd('$')
$user = $event.Properties[5].Value
$datetime = $event.TimeCreated.ToString("dd.MMM.yyyy HH:mm:ss")
$env:NALI_DB_IP4="geoip"
$env:NALI_LANG="en"
$nali = & C:\Users\Developer\Desktop\nali.exe $ip
#$from_region = [System.Text.Encoding]::UTF8.GetString([System.Text.Encoding]::Default.GetBytes($nali))
$from_region = [System.Text.Encoding]::UTF8.GetString([System.Text.Encoding]::UTF8.GetBytes($nali))
#Write-Output $from_region
# 构建包含消息的关联数组
$data = @{
"hostname_1" = "$hostname"
"user" = "$user"
"server_time" = "$datetime"
"from_ip" = "$ip"
"from_port" = "$remote_port"
"from_region" = "$from_region"
}
# 将关联数组转换为 JSON 格式
$jsonData = $data | ConvertTo-Json
#Write-Output $jsonData
#exit
# set your webhook url here
$webhookURL = 'https://example.com/prometheusalert?type=email&tpl=RDP-warning'
# 发送 HTTP POST 请求
Invoke-RestMethod -Uri $webhookURL -Method Post -Body $jsonData -ContentType 'application/json'You need to set the following lines of below content.
1
2$nali = & C:\Users\Developer\Desktop\nali.exe $ip
$webhookURL = 'https://example.com/prometheusalert?type=email&tpl=RDP-warning'Set a scheduled task on Windows.
Win+R, input taskschd.msc andEnter.
Click Action => Create Task
Make a name for your task. The configure setting is based on your current system.
Then you need to select user or group.
Create a new trigger.
The following setting is essential and key point. If you want to monitor login for administrator, you need to set Log as “Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin”, and Event ID is 20521. Otherwise, if want just want to monitor RDP of normal user, you need to config Log as “Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational” and Event ID is 1149. Of course, you can set both if you want to monitor both.
Next, add a new action when triggered.
You just need to add your powershell script here.
Then click OK, maybe you need to input your password to make settings effective.
Finally, you just need to check out whether it is enabled and functional.
It is recommended to open history log by clicking Enable All Tasks History in Actions area.
