After you enable the free security hardening feature for an instance, you can configure approved logon locations, IP addresses, times, and accounts. The unusual logon detection feature of Security Center uses this information to immediately detect remote logon attempts from unknown or malicious IP addresses.
Security risks
If a password is leaked or an account is stolen, an attacker might use the logon credentials to access your system. This can involve multiple failed logon attempts or logons from suspicious locations. Abnormal logon behavior can also originate from internal employees or systems, such as unauthorized access or permission abuse. Unusual logon detection helps you immediately find and block unauthorized logon behavior. It also helps your organization identify potential internal threats.
Best practices
After you enable the free security hardening feature, it can detect unusual logon behavior on your servers. You can set approved logon locations, IP addresses, times, and accounts to receive alerts for any logon that does not match these settings. You can add and update approved logon locations manually or automatically to generate alerts for unusual logons to specified assets.
Console
Log on to the Security Center console.
In the navigation pane on the left, choose .
Click the Common Logon Management tab. Set approved logon locations, IP addresses, times, and accounts as needed. For more information, see Approved logon management.
API
Call the ModifyLoginBaseConfig operation of Security Center. Set the Type parameter to specify the type of unusual logon detection:
login_common_location: Common logon location.login_common_ip: Common logon IP address.login_common_time: Common logon time.login_common_account: Common logon account.