In this use case, our goals are to audit logins to various systems on our network and to receive alerts about any unexpected logins. Unexpected logins can include login attempts from unauthorized users, failed login attempts, or logins from new users. We also want to filter out authorized logins from trusted users so that we only receive alerts about logins or login attempts that are of concern.
For any large-scale organization, you'll need to audit logins across each of your properties. This article covers login monitoring for Windows, Linux, and in the cloud.
To begin monitoring logins on Windows, create a Logon Security Event Monitor. This will be the tool with which you can receive alerts about logins on your domain controllers and standalone servers.
This event monitor provides an option to send alerts if one or more user logins fail. Check that box to reveal a set of dropdown options that allow you to customize this setting further. You may want to exclude login attempts that require additional preauthentication or failed login events in which the account is valid but the user entered their password incorrectly. Using these two suboptions can help you avoid false alarms.
The next setting in the Logon Security Event Monitor lets you specify a comma-separated list of permitted users. You can fill this out during the event monitor's initial setup. The event monitor will warn if it finds any users who aren't on the list.
After you've been running this event monitor for a while, check its event history for a list of logins and login attempts. You can use this data to supplement your organization's auditing requirements as well as to form a list of users you'd like to ban. Note that the type of auditing performed here by FrameFlow is meant to supplement other IT security measures, so make sure you're implementing other event monitoring as needed.
With the information you've gathered from the event history, you can now formulate a list of users that the event monitor will consider banned. If a user from this list is found to have a session, you'll immediately receive an alert at the level of your choosing. Sometimes it isn't feasible to entirely delete the accounts of employees who are no longer with your organization, but you still need to make sure these newly-unauthorized users aren't logging in. The below option lets you enter a comma-separated list of such users. The event monitor will send you an alert of your choosing the moment it detects activity from any user in this list.
To monitor logins and login attempts in Active Directory, use our Active Directory Event Monitor. It has many of the same options as the Logon Security monitor mentioned above with additional AD-specific alerting parameters. This event monitor provides the option to alert about account modifications along with account events, giving you the ability to receive alerts about new account creations, modifications to existing accounts, and the deletion of accounts as well.
While performing audits, you may need to check the membership of certain Active Directory groups. The Active Directory Event Monitor has an entire section dedicated to this type of monitoring. Many organizations need to keep a close eye on the list of users with Domain Admin permissions, as users in this group have clearance to do virtually anything in your AD environment. To receive alerts if your Domain Admins group gains a new member, just check the box and choose your level of alert, as below. If a user is ever added to this group for any reason, you'll promptly receive an alert about it, allowing you to review the action.
The Linux/SSH Login Event Monitor is the tool we'll use to audit Linux logins. It uses SSH to connect to your Linux-based systems and monitors many of the same ways we've discussed above. With it, you can receive notifications if any user logs in or if a new user is detected. Use the latter option to keep tabs on all new users. You can also choose to be notified about the removal of user accounts.
These settings coupled with the next option, which appends a list of all users to the event text summary, are great for auditing purposes. When you select this option, you'll receive a list of all existing users on your Linux box as well as their latest login time and date.
To monitor cloud logins, we'll use the Azure Logon Security Event Monitor. Because they're not on-premises and can be accessed from anywhere, your cloud logins may require extra attention to detail when it comes to monitoring. This event monitor can warn about successful login attempts as well as failed ones, allowing you to keep an eye on all logins to your cloud services.
The usual filtering options are provided and shown below. Use them to include or exclude users, applications, and resources so you receive only the notifications relevant to your monitoring needs. You can also establish an audit trail over time, as FrameFlow allows you to retain the information gathered by all event monitors mentioned in this article indefinitely. As mentioned before, this quality makes these event monitors useful tools to supplement your organization's compliance requirements.
This article taught you how to monitor user login activity and receive alerts about logins or login attempts on Windows, Linux, and in the cloud. We also covered how to use FrameFlow's various login security monitors to create audit trails and keep records of users, login events, and failed logins over time. More articles on use cases like this are coming soon, so make sure to keep an eye on FrameFlow's new Use Cases section.More Use Cases