Spikes in failed logon activity. Multiple failures to log on to the corporate IT environment can be a signt that the user is not supposed to have access there or that something went wrong with the credentials.
Accounts with most logon activity. Any user account with suspiciously high logon activity might indicate either that the account has been compromised and is being used by someone other than the proper owner, or that malware is using the account to launch various applications.
Logon activity outside business hours
Logons by a single user from multiple endpoints. A user unexpectedly logging into your critical IT systems during non-business hours often warrants a security investigation.
Logons by multiple users from a single endpoint. In some cases, logons by multiple users from the same machine are legitimate; for example, several employees might use the same terminal server to do their jobs. But other cases could be malicious, such as a person or a malware client using various accounts to gain additional privileges and illicitly access your critical data.
