All Collections
Microsoft Active Directory
Microsoft Active Directory | "Computers with Anomalous Login Activity" Alert
Microsoft Active Directory | "Computers with Anomalous Login Activity" Alert
Updated over a week ago

Problem: If you’ve received an alert for ACTIVE DIRECTORY | COMPUTERS WITH ANOMALOUS LOGIN ACTIVITY, the steps below will walk you through remediation and investigation steps.

Steps to Resolution

  • Cause

    • This alert will appear if a user or service account attempts to login to a system and has a failed logon event.

    • This alert will show the systems with the bad logon event but it doesn’t currently return the user account that may have caused the event.

  • Investigation

    • In the actionable alert you should see a list of systems that have a bad logon count > 0 See screenshot


    • You will want to login to the Active Directory server that this alert came from, Then open Powershell and run the below command. Replacing SYSTEMNAME with the name of the system in the alert

      • Get-ADComputer -Identity SYSTEMNAME -Properties BadLogonCount | Select-Object -Property BadLogonCount

      • You should see the value of the bad logon count for the system show a value greater than 0

  • Resolution

    • Once there is a successful user or service account login to the device this count should reset on the AD server

  • Items to consider

    • If you have a system that is continuing to appear in the alert and you confirm the bad logon count is 0 for a time then increases again, their may be a service trying to login with an expired password

    • If you have successful logins but the AD server continues to see a bad logon count more than 0 this may be due to sync or replication settings of the AD environment.

Outcome: .The above should give a better understanding of the Anomalous login alert and the steps needed to resolve.

Alternatives: If you have any questions or run into any issues please reach out to Support.

For more information, please visit Microsoft's Documentation.

Did this answer your question?