Suspicious Successful Logons
Multiple successful logons from a single user to different nodes or machines is another extremely suspicious pattern of activity that might indicate a malware infection. This could be a situation where malware on an infected host machine was successful in gaining a user’s credentials and is moving laterally within an organization.
The Suspicious Logons sub-panel displays all successful logons to multiple nodes in the organization allowing investigators to quickly pinpoint machines that may have malware.
Visuals
- Users – Bar chart of users with successful logons to multiple nodes within the specified time frame. Click on a user to view nodes where logons occurred. Right-click on a user and drill down to ‘Details’ to view a detailed report.
- Failed Logons Trend – Graph indicating trend of successful logon activity for specified time frame. Click on a peak to view what caused the peak.
- Nodes – Nodes from where logons occurred.
- Successful Logon Operations – Displays the types of logon events to establish a successful connection.
- Targeted Hosts – Hosts where successful logons connected.