I hope this will help someone out there.
Add this to the local_rules.xml to have alerts send when an RDP session is
established to your Windows 2003 or Windows 2008 Servers:
<rule id="100888" level="10">
<if_sid>18104</if_sid>
<id>^682|^4778</id>
<description>Remote Desktop Connection Established</description>
<group>win_authentication_failed,</group>
</rule>
NOTE: the group portion of this rule I am still unsure about so I just kept as I
have it above. Also, you will need to enable auditing for logins on the local
policy or gpo like below:
Policies>Windows Settings>Security Settings>Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use Failure
Audit system events Success, Failure
