Logon Security

Checks the event log for logon security events.

notitie

Overview

This event monitor scans the security event logs on remote machines to detect logon security events, including failed login attempts and specific user logon activities.

info

Use Cases

Suspicious Login Attempts: Receive notifications about suspicious login attempts.
Monitoring Banned Users: Monitor login attempts of banned users.

Monitoring Options

Connectivity Alerts

Device Contact: Alert with [Info/Warning/Error/Critical] if the device cannot be contacted.

Failed Login Attempts: Alert with [Info/Warning/Error/Critical] when one or more failed login attempts are found.
Ignore Additional Preauthentication: Exclude events indicating the need for additional preauthentication from the failed login notification.
Ignore Incorrect Password: Exclude login attempts with correct username but incorrect password.

User Session Alerts

Permitted Users: Alert if a user other than those listed (permitted) is found to have a session.
Banned Users: Alert if any of these users (banned) are found to have a session.

Authentication and Security

Ensure the monitoring account has admin rights for accessing event logs.

Protocols

Windows Event Log API

Data Points

This event monitor does not generate any data points.

Overview​

Use Cases​

Monitoring Options​

Connectivity Alerts​

Failed Login Attempt Alerts​

User Session Alerts​

Authentication and Security​

Protocols​

Data Points​

Sample Output​