Failed Login Check

The Failed Login Check queries the Windows Security Event Log to identify the total number of unsuccessful login attempts on the monitored device over the past 24 hours. If the number of discovered Events exceeds the specified threshold, the Check fails.

The Failed Login Check results are available in the South-pane Checks tab. The More Information column displays the total number of Failed Logins recorded over the last 24 hours. Click the link in the More Information column for information on the cause of the failures.

Check configuration

Add

  1. Select the device in the North-pane of the Dashboard
  2. Go to the Checks tab
  3. Click Add Check
  4. Choose Add DSC > Failed Login Check
  5. Enter the Threshold

    When you set the threshold for the Failed Login Check, we recommend you decide how many failed attempts constitutes an abnormal amount.

    Work with your customer to determine a suitable number of failed logins as a baseline, and configure the threshold such that if the baseline is exceeded, the check fails and sends an alert.

  6. To run an Automated Task when the Check fails choose Assign a Task after creating the Check
  7. Click OK to save and apply
  8. Where Assign a Task after creating the Check is selected:
    1. Select the script
    2. Click Next to configure
  9. Enter the Command Line parameters (if required)
  10. Set a Script timeout in the range 1 - 3600 seconds (default 120 seconds)
  11. Click Finish to save and apply

Edit

  1. Select the device in the North-pane of the Dashboard
  2. Go to the Checks tab
  3. Right-click the target Failed Login Check and select Edit Check
  4. Configure the settings
  5. Click OK to save and apply

Delete

  1. Select the device in the North-pane of the Dashboard
  2. Go to the Checks tab
  3. Right-click the target Failed Login Check and select Delete Check
  4. Enter the password you logged into the Dashboard with to confirm removal
  5. Click OK to delete

Failed Login Check data

The Failed Login Check returns data on the IP address and user name associated with the attempted login. The aggregated data is only available for the latest one hundred entries recorded over the monitored period with any number above this simply counted.

The Failed Login Check queries the Windows Security Event Log for occurrences of the following Events:

Event ID Failure Type
4625 An account failed to log on
4768 A Kerberos authentication ticket was requested (when type failure)
4772 A Kerberos authentication ticket request failed
4771 Kerberos pre-authentication failed
4776 The domain controller attempted to validate the credentials for an account
4777 The domain controller failed to validate the credentials for an account

The Check Info tab of the More Information dialog lists a summary for each discovered Event. Click the Event plus button (+) for detail on the failure.

Field Description
Event ID The failure Event ID including a link to EventID.net for further information on this Event type event_idnet_icon
Count Total number of instances of the Event
First Event Date and time of first Event
Last Event Date and time of last Event
Source IP address the attempted login originated from (where known). If there are multiple IP addresses the number of Sources is returned.
User Name User name associated with the attempted login.

If there are multiple users, the number of User names is returned.

Failed Logins Total number of Events recorded
Failure reason Cause of the failed login attempt
Unique sources IP address the attempted login originated from (where known).

Includes the number of occurrences of this Event the IP address is associated with.

Unique user names User name linked to the attempted login.

Includes the number of occurrences of this Event the user name is associated with.