Now that we have the filter configured and assigned, our filter will notify us via email whenever a successful logon event is generated.
We want to tune this filter, so that we are only alerted on "RemoteInteractive" logon type 10 events. We can accomplish this by either adding a content filter using wildcard matches or insertion strings (recommended). Using just the wildcard match, we can create a content filter like:
*Logon Type: 10* (as seen in the screenshot below)
Alternatively, we can use an insertion string match. To find the insertion string for "Logon Type", we will want to click the lookup button in the details. Which will open the Event Message Browser (which can also be launched by going to Tools > Utilities > Event Message Browser in the EventSentry Management Console). As we can see in the Event Message Browser, the insertion string for 'Logon Type" is %9.
Adding an insertion string is similar to adding a wildcard match, except that we will choose "Insertion string match" from the Text Match type drop down menu. In this case we will select "9" from the Insertion String drop down and then specify 10 in the content filter section. Accordingly, this filter will only match when insertion string #9 has a value of 10 (which is the logon type for RDP logins).