Add event details for failed logins
When an alert comes in from a failed login, it would be great if the alert can show the events details so I don't have to go searching through the event viewer.
Kinsey Anderson
shared this idea
-
Ahmet Hayirli
commented
We already have a script that reliably shows which user caused the failed logon and from which source (logon type / origin) the failed attempts came from.
We have attached this script to the threshold, but its execution and output are not shown in the device tasks.
As a result, every time an alert is triggered, we still have to manually run the script on the affected device in order to quickly see which user and which source caused the failed logins.
-
David Yoder
commented
10 minutes ago I received an alert for "7 failed login attempts during a time period of 5.00 minutes". That's all the alert text says. If I go to the endpoint, the alert section there reads the same thing.
Naturally, I want to know more about the event log messages that triggered the alert. So I go to Manage -> Event Viewer to see more information. I navigate to the Security log and load up 500 events. I quickly find out that 500 events isn't enough, so I load up 1000 events and scroll all the way down but I still can't see the time and events I need to.
This endpoint is a file server with ~50 users connected to it, so an alert that's 10 minutes old has more than 1000 events logged and is unsearchable in Atera.
So now I connect to the endpoint interactively and load up a prebuilt filter in the Windows Event Log to see what I need to. Why not save time and bypass Atera's tools completely?
The fix for this would be to include some context about the alert. Show me the event log messages that triggered the alert and the context surrounding them.