Fork me on GitHub

Teleport

Desktop Access Audit Events Reference

Improve

windows.desktop.session.start (TDP00I/W)

Emitted when a client successfully connects to a desktop or when a connection attempt fails because access was denied.

Successful connection event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "event": "windows.desktop.session.start",
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true,
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

Access denied event:

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP00W",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "ei": 0,
  "error": "access to desktop denied", // Connection error
  "event": "windows.desktop.session.start",
  "message": "access to desktop denied", // Detailed error message.
  "login": "administrator",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": false, // Indicates unsuccessful connection
  "time": "2022-02-16T16:43:30.459Z",
  "uid": "1605346b-d90b-4df7-8148-67a3e2d85673",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

windows.desktop.session.end (TDP01I)

Emitted when a client disconnects from the desktop.

{
  "cluster_name": "root",
  "code": "TDP01I",
  "desktop_addr": "192.168.1.206:3389",
  "desktop_labels": {
    "teleport.dev/computer_name": "WIN-I44F9TN11M3",
    "teleport.dev/dns_host_name": "WIN-I44F9TN11M3.teleport.example.com",
    "teleport.dev/is_domain_controller": "true",
    "teleport.dev/origin": "dynamic",
    "teleport.dev/os": "Windows Server 2012 R2 Standard Evaluation",
    "teleport.dev/os_version": "6.3 (9600)",
    "teleport.dev/windows_domain": "teleport.example.com"
  },
  "desktop_name": "WIN-I44F9TN11M3-teleport-example-com",
  "ei": 0,
  "event": "windows.desktop.session.end",
  "login": "administrator",
  "participants": ["alice"],
  "recorded": true,
  "session_start": "2022-02-16T16:43:30.459Z",
  "session_stop": "2022-02-16T16:46:50.894Z",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:46:50.895Z",
  "uid": "c7956a81-597f-4452-90d7-800506f7a05b",
  "user": "alice",
  "windows_desktop_service": "316a3ffa-23e6-4d85-92a1-5e44754f8189",
  "windows_domain": "teleport.example.com",
  "windows_user": "administrator"
}

desktop.clipboard.send (TDP02I)

Emitted when clipboard data is sent from a user's workstation to Teleport. In order to avoid capturing sensitive data, the event only records the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP02I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.send",
  "length": 4, // number of bytes sent
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.clipboard.receive (TDP03I)

Emitted when Teleport receives clipboard data from a remote desktop. In order to avoid capturing sensitive data, the event only records the number of bytes that were received.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP03I",
  "desktop_addr": "192.168.1.206:3389",
  "ei": 0,
  "event": "desktop.clipboard.receive",
  "length": 4, // number of bytes received
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "time": "2022-02-16T16:43:40.010217Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.share (TDP04I/W)

Emitted when Teleport starts sharing a directory on a local machine to the remote desktop.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP04I", // TDP04W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.share",
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.read (TDP05I/W)

Emitted when Teleport reads data from a file on the local machine and sends it to a program on the remote desktop. In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the read began and the number of bytes that were sent.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP05I", // TDP05W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes read
  "offset": 0, // the offset from the start of the file from which the read began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}

desktop.directory.write (TDP06I/W)

Emitted when Teleport writes data from the remote desktop to a file on the local machine. In order to avoid capturing sensitive data, the event only records the offset from the start of the file from which the write began and the number of bytes that were written.

{
  "addr.remote": "192.168.1.206:3389",
  "cluster_name": "root",
  "code": "TDP06I", // TDP06W if the operation failed
  "desktop_addr": "192.168.1.206:3389",
  "directory_id": 2,
  "directory_name": "local-files",
  "ei": 0,
  "event": "desktop.directory.read",
  "file_path": "powershell-scripts/a-script.ps1", // relative path from the root of the shared directory (local-files in this case)
  "length": 734, // the number of bytes written
  "offset": 0, // the offset from the start of the file from which the write began
  "proto": "tdp",
  "sid": "4a0ed655-1e0b-412b-b14a-348e840e7fa2",
  "success": true, // false if the operation failed
  "time": "2022-10-21T22:36:27.314409Z",
  "uid": "e45d9890-38a9-4580-8572-35fa0192b123",
  "user": "alice"
}