Skip to Main Content
Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and
follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

Categories Windows Server
Created by Lamont Largie
Created on May 22, 2024

Windows Server: Excessive Failed Logon Alerts (Last 2 Weeks)

Metric Name: Windows Server: Windows Server: Excessive Failed Logon Alerts (Last 2 Weeks)

Category: Windows Server

Description: This metric is designed to identify and report on local account logon failures that exceed one attempt within the past two weeks on Windows Servers. It provides critical security information, including the account name, number of failed logon attempts, the date of the last failed logon, and the time elapsed since the last failed attempt. This information is essential for identifying potential security risks or breach attempts on local accounts.

Purpose: Monitoring failed logon attempts is vital for early detection of unauthorized access attempts and potential security threats. This metric helps IT security teams to quickly respond to and investigate unusual login behaviors, enhancing the security posture of the organization.

How It Works: The metric filters user account data to identify accounts with more than one failed login attempt in the last 14 days. It then displays relevant details such as the user's full name, count of failed logon attempts, the date of the last successful logon, and days since the last bad password attempt. This allows for timely and focused security assessments and interventions.

Beneficiaries: This metric is particularly beneficial for IT security and administrative teams tasked with safeguarding Windows Server environments. It aids in compliance with security policies that require monitoring and addressing failed access attempts to prevent potential breaches.







**Enhancing the "Windows Server: Excessive Failed Logon Alerts (Last 2 Weeks)" Metric**

1. Adjusting the Time Frame:

  • Current Setting: Last 2 weeks.

  • Modification: You can modify the timeframe to be more or less restrictive, such as the last 7 days or the last 30 days, depending on the security monitoring needs of your organization.

  • Value: Shorter timeframes might be useful for high-security environments where frequent monitoring is critical, whereas longer timeframes could be better for trend analysis and less critical systems.

2. Varying the Threshold for Alerts:

  • Current Setting: More than one failed attempt.

  • Modification: Change the threshold for what constitutes an excessive number of failed logon attempts—either increasing or decreasing the number.

  • Value: Higher thresholds may reduce the number of alerts, minimizing alarm fatigue among IT staff. Lower thresholds increase sensitivity to potential unauthorized access, enhancing security but potentially increasing the volume of alerts.

3. Including Additional Data Points:

  • Current Setting: Username, count of failed attempts, last successful logon, days since the last attempt.

  • Modification: Include additional details such as IP address of access attempt, geographic location, or device type.

  • Value: This provides more context for each alert, aiding in quicker and more accurate responses to potential security incidents. It helps in identifying patterns or common sources of attacks.

Query

Users[?BadLogonCount > '1' && time_since(LastBadPasswordAttempt, 'days') < `14`].[['--'],['UserName:'FullName], ['Failed Logon Attempts:'BadLogonCount],['Last Successful Logon Date:'LastLogon],['Days Since Last Failed Logon Attempt:' time_since(LastBadPasswordAttempt, 'days')]][]

  • Attach files