Tracking administrator logins is critical for security and compliance. Unauthorized admin access can indicate a security breach, compromised credentials, or insider threats. However, monitoring all admin logins can also help organizations track access trends and audit privileged account usage. This monitor ensures IT professionals stay informed about admin login activity, enabling them to detect threats and enforce security policies proactively.
Description
This monitor policy provides two distinct monitoring options designed to enhance security oversight of administrator logins. The first monitor, Unauthorized Admin Login Alert, detects and alerts on any admin login that does not match the predefined list of authorized accounts, ensuring that unauthorized access attempts are immediately flagged. The second monitor, Admin Login Alert, generates alerts for every administrator login, providing full visibility into privileged account usage. By default, both monitors are enabled, but users can choose to keep only the one that best fits their security needs. Currently, this monitor is available for Windows, with macOS and Linux support in development.
Preview
Use Cases
Detect unauthorized administrator logins in real time.
Monitor all privileged account logins for security audits.
Enhance compliance with security frameworks (PCI-DSS, HIPAA, NIST).
Identify unusual admin login behavior that may indicate credential compromise.
Recommendations
Keep both monitors enabled if you need complete visibility into admin logins. Otherwise, disable the one you don’t need.
Pair with automated responses to take action when unauthorized logins occur, such as notifying security teams or locking the account.
Test in a controlled environment before full deployment to ensure compatibility with your environment.
Contact Level support if you’re interested in macOS or Linux support.
FAQ
Can I customize which admins are considered “authorized”? Yes, the Unauthorized Admin Login Alert uses a Level custom field (cf_authorized_admins) to define authorized admins.
Do I need both monitors enabled? No, you can disable or delete one based on your needs. If you only want alerts on unauthorized logins, keep the Unauthorized Admin Login Alert and remove the general Admin Login Alert.
Does this monitor work on macOS or Linux? Not yet, but support for macOS and Linux is planned. Reach out to Level support if you’re interested.
Can this monitor detect remote and local logins? Yes, it tracks both interactive (local) and remote desktop (RDP) logins for admin accounts.
Will this generate too many alerts? It depends on your environment. If you have frequent admin logins, you may want to use only the Unauthorized Admin Login Alert to reduce noise.
Included with this Monitor:
Below is a list of what you can expect to find when importing this Monitor.
Script details:
The following data and settings will be imported with your script.