All Products
Search
Document Center

How does Security Center detect unusual logons and generate alerts for the unusual logons?

Last Updated: Jun 01, 2021

Overview

This article describes how Security Center detects unusual logons and generates alerts for the unusual logons.

Description

The following sections describe how Security Center detects unusual logons and generates alerts for the unusual logons.

Note: If your servers are deployed in data centers and have the Security Center agent installed, Security Center can also detect unusual logons to your servers and generate alerts for the unusual logons.

Working principle

You can use the unusual logon detection feature provided by Security Center to monitor logons to your server. If Security Center detects logons from unapproved locations to your server, Security Center generates alerts. If you use the Advanced or Enterprise edition of Security Center, you can specify the IP addresses and accounts that can be used to log on to your server. You can also specify time ranges in which logons are allowed. If Security Center detects logons from unapproved IP addresses or accounts, or logons that do not fall into the specified time ranges, Security Center generates alerts. In the Settings panel of the Alerts page, you can view the IP address, account, and time of each unusual logon. You can also view the alerts that are generated for unusual logons, such as logons out of the specified time ranges and logons from unapproved locations, IP addresses, and accounts.

The Security Center agent regularly collects logon logs of your server and uploads the logs to the cloud on which the logs are analyzed and matched. If Security Center detects a logon from an unapproved location, unapproved IP address, unapproved time, or unapproved account, Security Center generates alerts for the logon. The following list describes logons from IP addresses:

  • If this is the first time that you use Security Center to protect your server, Security Center does not generate alerts for a logon because you do not specify approved logon locations.
  • The first time a public IP address is used to log on to the server, the location of the IP address is marked as an approved logon location. All locations of the public IP addresses that are used to log on to the server within 24 hours from the point in time are marked as approved logon locations. After 24 hours, all logons that are not from the preceding approved logon locations are considered logons from unapproved locations. Security Center generates alerts for these logons.
  • If the logon from an IP address is considered an unapproved logon, Security Center generates an alert and sends an alert notification by using text messages only for the first logon. If the IP address is used to log on to the server six or more than six times, Security Center automatically records the location of this IP address as an approved logon location.
    Note: Security Center matches only public IP addresses to identify logons from unapproved locations.

How Security Center generates alerts for logons from unusual IP addresses

The following list describes how Security Center generates alerts for logons from unusual IP addresses:

  • Security Center sends alert notifications by using text messages to you for the first logon from an unapproved IP address. If the IP address is consecutively used to log on to your server, Security Center generates alerts only in the console. If the IP address is used to log on to the server six or more than six times, Security Center automatically records the location of this IP address as an approved logon location.
  • If you use the Advanced or Enterprise edition of Security Center, you can specify the IP addresses and accounts that can be used to log on to your server. You can also specify the time ranges in which logons are allowed. If Security Center detects logons from unapproved locations, unapproved IP addresses, unapproved logon time, and unapproved accounts, Security Center first generates alerts for the last four types of logons.

Application scope

  • Security Center