Suspicious Failed Logons

Multiple failed logins from a single user to different nodes or machines is an extremely suspicious pattern of activity that might indicate a malware infection. This could be a situation where malware on an infected host machine is attempting to move laterally within an organization.

The Suspicious Failed Logons sub-panel displays all failed logons of valid users that have attempted access to multiple nodes in the organization allowing investigators to quickly pinpoint machines that may have malware.

Visuals

  • Users – Bar chart of valid failed logon users that have recorded logon failures for multiple nodes within the specified time frame. Click on a user to view nodes where failure occurred and target hosts. Right-click on a user and drill down to ‘Details’ to view a detailed report that can be downloaded or emailed.
  • Failed Logons Trend – Graph indicating trend of failed logon activity for specified time frame.
  • Nodes – Nodes where failures occurred.
  • Failed Logon Operations – Displays the types of logon events that caused failures.
  • Targeted Hosts – Hosts where failed logins were recorded.
Contact Us