[Defender] Feature Request: Audit Logging > Event Summary - Add IP Banned Message

Hi,

in Defender > Audit Logging > Event Logs > Event Summary
there are messages like: "User login fail. Username: domain.tld"

Please add additional information when IP is banned.
So it will looks like: "User login fail. Username: domain.tld IP banned."

Audit Logging is great to find new usernames which attackers use to log to your website. So you can add it to "Defender > Login Protection > Automatically Banned Usernames".

But when "IP banned" is not mentioned in Event Summary, in thousands of events, it is hard to find new usernames to ban.

Thanks,
Jiri

  • Adam Czajczyk

    Hello Jiri

    I hope you're having a nice day!

    There are logs created on "Defender Pro -> IP Lockouts -> Logs" page where any of IP Lockouts option is enabled. The logs entries occur only after the "ban/lockout" happened but you mentioned setting permanent ban due to failed login attempts by adding usernames to "Automatically ban usernames" list.

    This means that the "Login protection" module is already active so that should actually log any suspicious login attempts in aforementioned log: with a reason and an IP - so you could actually find those usernames there based on IP too.

    Have you tried it that way?

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.