My organization has LEM agents deployed on the domain controllers. I have created a logon rule for users within a certain subnet of the organization. (EX. UserLogon.SourceMachine=Source IP)
Since the agent is on the DC, I can see the Logon from the source user, but I cannot see the process to which they are accessing after its logged in the DC. How can I monitor Logons and executions on both ends for precise monitoring ex. source and destination IP's/names, and what are ideal baselines for a set up like this with agents on the DC, keeping compliance as a necessity?
Thank you,
Nickolas