Suspicious Failed Logons
Multiple failed logins from a single user to different nodes or machines is an extremely suspicious pattern of activity that might indicate a malware infection. This could be a situation where malware on an infected host machine is attempting to move laterally within an organization.
The Suspicious Failed Logons sub-panel displays all failed logons of valid users that have attempted access to multiple nodes in the organization allowing investigators to quickly pinpoint machines that may have malware.
- Users – Bar chart of valid failed logon users that have recorded logon failures for multiple nodes within the specified time frame. Click on a user to view nodes where failure occurred and target hosts. Right-click on a user and drill down to ‘Details’ to view a detailed report that can be downloaded or emailed.
- Failed Logons Trend – Graph indicating trend of failed logon activity for specified time frame.
- Nodes – Nodes where failures occurred.
- Failed Logon Operations – Displays the types of logon events that caused failures.
- Targeted Hosts – Hosts where failed logins were recorded.