Back to Resources

Level Verified

Failed Login Monitor

Created by

Level

Type

Monitor

Category

Security

Platforms
WindowsApple iOSLinux

Problem Overview

Failed login attempts can indicate unauthorized access attempts, brute-force attacks, misconfigured credentials, or forgotten passwords. Without active monitoring, IT teams may miss critical security events that could signal an imminent threat. This monitor policy ensures real-time visibility into failed authentication attempts, helping organizations detect and respond to security incidents before they escalate.

Description

This monitor policy provides two monitoring options, allowing users to track failed authentication attempts based on their security needs. The Failed Admin Login Monitor specifically detects failed login attempts for administrator accounts, highlighting potential breaches or unauthorized access attempts on privileged accounts. The Failed Login Monitor tracks failed logins for all users, offering broader visibility into authentication failures across the entire system. By default, both monitors are enabled, but users can choose to keep only the one that aligns with their security policies. This monitor currently supports Windows, with macOS and Linux support planned for future releases.

Preview

Failed Login Monitor

Use Cases

  • Detect unauthorized login attempts on administrator accounts.
  • Monitor failed login attempts for all users to identify security threats.
  • Prevent brute-force attacks by identifying repeated failed authentication attempts.
  • Enhance security logging and compliance auditing.
  • Alert IT teams to misconfigured credentials or locked-out users.

Recommendations

  • Choose the appropriate monitor based on your security needs—keep both enabled for full visibility or remove one to reduce noise.
  • Pair with automated responses to temporarily lock accounts or notify security teams after multiple failed login attempts.
  • Test in a controlled environment before full deployment to validate detection accuracy.
  • Regularly review failed login alerts to identify patterns of suspicious activity.
  • Contact Level support if you’re interested in macOS or Linux support.

FAQ

  • Can I monitor both admin and non-admin logins at the same time?
    Yes, both monitors are enabled by default. If you only want to monitor one type of login failure, you can disable or delete the other.
  • Does this monitor detect brute-force attacks?
    Yes, it can help identify repeated failed login attempts, which are often a sign of brute-force attacks.
  • Will this monitor generate too many alerts?
    If you have frequent failed login attempts in your environment, consider keeping only the Failed Admin Login Monitor to reduce noise.
  • Does this work on macOS or Linux?
    Not yet, but support for macOS and Linux is planned. Reach out to Level support if you’re interested.
  • Can I use this for compliance monitoring?
    Yes, monitoring failed login attempts is a key requirement for compliance with security frameworks like PCI-DSS, HIPAA, and NIST.

Included with this Monitor:

Below is a list of what you can expect to find when importing this Monitor.

Script details:

The following data and settings will be imported with your script.

Monitors

  • Run Script

Scripts

  • Windows - Failed Admin Login
  • Windows - Failed Login Attempt (Any User)

Tags

  • Server
  • Workstation
Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources