You can use the unusual logon feature provided by Security Center to monitor logons to your server and receive alerts when logons from unusual locations are detected. Security Center Advanced Edition and Enterprise Edition allow you to set approved IP addresses, time period, and accounts for logging on to specific servers. Logon attempts that do not use the approved IP addresses and accounts during the approved time period will trigger alerts.

On the Alerts page of the Server Center console, you can view the IP address, account name, and time of each unusual logon. You can also view the alerts for unusual logons, unapproved IP addresses, unapproved logon time, and unapproved accounts.

Features and principles

The Security Center agent regularly collects logon logs of your server, uploads these logs to the cloud, where the logs are analyzed and matched. An alert is reported when Security Center detects a successful logon from an unapproved location, using an unapproved IP address or account, or at an unapproved time.

  • If this is the first time that your server is protected by Security Center, no alert is triggered by logons until usual logon locations are set for the server.
  • When a public IP address successfully logs on to the server for the first time, the IP address is marked as a usual logon location. All locations where public IP addresses log on to the server within 24 hours from that time point will be marked as usual logon locations. After 24 hours, all logons that are not from the preceding usual logon locations are considered as unusual logons and will trigger alerts.
  • If the logon from an IP address is identified as an unusual logon, only the first logon attempt triggers SMS alerts. If the logon attempt succeeds for six or more times, Security Center records the location of the IP address as a usual logon location by default.
Notice Only logons from public IP addresses can be identified as unusual logons.

Alert policy: Security Center will send an SMS alert for the first logon from an unusual IP address. If the IP address is used to log on to the server for consecutive times, an alert is reported in the Security Center console. A usual logon location is automatically recorded after the IP address is used six times to log on to the server.

Security Center Advanced Edition and Enterprise Edition allow you to set approved IP addresses, time period, and accounts for logging on to specific servers. Logon attempts that do not use the approved IP addresses and accounts during the approved time period will trigger alerts. These logon security settings have a higher priority than the unusual logon alert policy.