{"id":2530,"date":"2025-07-02T13:13:05","date_gmt":"2025-07-02T13:13:05","guid":{"rendered":"https:\/\/zecurit.com\/help\/?post_type=docs&#038;p=2530"},"modified":"2025-07-28T07:09:43","modified_gmt":"2025-07-28T07:09:43","slug":"user-logon-reports","status":"publish","type":"docs","link":"https:\/\/zecurit.com\/help\/asset-management\/reports-analytics\/pre-built-reports\/user-logon-reports\/","title":{"rendered":"User Logon Reports"},"content":{"rendered":"\n<p>The <strong>User Logon Reports<\/strong> provides deep insights into user login behavior across your organization\u2019s devices and domain controllers. These reports are essential for auditing user activity, identifying anomalies and ensuring proper access controls.<\/p>\n\n\n\n<p>Whether you&#8217;re a system administrator monitoring usage, an IT security analyst performing audits or a compliance officer reviewing access logs, this suite of reports offers the visibility you need.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. Computers Without Any User Logon<\/strong><\/h2>\n\n\n\n<p>This report lists devices that have no record of any user login since the agent was installed. It helps identify unused or idle assets that may need attention, repurposing, or decommissioning.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect inactive or unassigned systems.<\/li>\n\n\n\n<li>Reclaim underutilized hardware.<\/li>\n\n\n\n<li>Audit compliance for device provisioning.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Device Name<\/strong><\/li>\n\n\n\n<li><strong>Last User Logged On<\/strong><\/li>\n\n\n\n<li><strong>Days Since Last Logon<\/strong><\/li>\n\n\n\n<li><strong>Agent Last Contact Time<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li>OS Name<\/li>\n\n\n\n<li>Service Pack<\/li>\n\n\n\n<li>OS Version<\/li>\n\n\n\n<li>Last Boot Time<\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n\n\n\n<li>Platform<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Computers with Active User Sessions<\/strong><\/h2>\n\n\n\n<p>Displays all computers where at least one user is currently logged in. This report shows real-time user sessions and session counts on each machine.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track who is currently logged in to which machine.<\/li>\n\n\n\n<li>Detect unauthorized or concurrent sessions.<\/li>\n\n\n\n<li>Monitor shared device activity.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Device Name<\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>User Logon Count<\/strong><\/li>\n\n\n\n<li><strong>Logged-On User Name<\/strong><\/li>\n\n\n\n<li><strong>Logon Time<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n\n\n\n<li>Platform<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Currently Logged-In Users<\/strong><\/h2>\n\n\n\n<p>Shows a user-centric view of all currently logged-in users across devices.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Understand current user distribution.<\/li>\n\n\n\n<li>Audit concurrent logins across multiple systems.<\/li>\n\n\n\n<li>Monitor high-privilege or shared account usage.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User Name<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>Concurrent Logon Count<\/strong><\/li>\n\n\n\n<li><strong>Logged-On Device<\/strong><\/li>\n\n\n\n<li><strong>Last Logon Time<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n\n\n\n<li>Platform<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. User Logon Reports from Domain Controllers<\/strong><\/h2>\n\n\n\n<p>Provides a summary of user logons captured by each domain controller. Useful for auditing logon traffic at the AD infrastructure level.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analyze domain controller logon loads.<\/li>\n\n\n\n<li>Detect suspicious logon surges from specific controllers.<\/li>\n\n\n\n<li>Ensure logon events are correctly replicated across controllers.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Domain Controller Name<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>User Logon Count<\/strong><\/li>\n\n\n\n<li><strong>Unique User Logon Count<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. User Logon History<\/strong><\/h2>\n\n\n\n<p>Tracks historical logon activity of each user across all devices, including timestamps and durations.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Investigate user activity during security incidents.<\/li>\n\n\n\n<li>Identify patterns of excessive or abnormal access.<\/li>\n\n\n\n<li>Audit login hours and behavior for compliance.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User Name<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>User Logon Count<\/strong><\/li>\n\n\n\n<li><strong>Logged-On Device<\/strong><\/li>\n\n\n\n<li><strong>Last Logon Time<\/strong><\/li>\n\n\n\n<li><strong>Last Log Off Time<\/strong><\/li>\n\n\n\n<li><strong>Logon Duration<\/strong><\/li>\n\n\n\n<li><strong>Logon Type<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. User Logon History by Computer<\/strong><\/h2>\n\n\n\n<p>Shows the user login history for each device. This system-centric view helps track who accessed which devices and when.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect shared usage of individual computers.<\/li>\n\n\n\n<li>Monitor changes in workstation assignments.<\/li>\n\n\n\n<li>Identify possible unauthorized access.<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Device Name<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>User Logon Count<\/strong><\/li>\n\n\n\n<li><strong>Last Logged-On Username<\/strong><\/li>\n\n\n\n<li><strong>Last Logon Time<\/strong><\/li>\n\n\n\n<li><strong>Last Log Off Time<\/strong><\/li>\n\n\n\n<li><strong>Logon Duration<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n\n\n\n<li>Platform<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. User Logon History on Domain Controllers<\/strong><\/h2>\n\n\n\n<p>Lists user logon sessions specifically recorded by domain controllers, including duration and timestamps.<\/p>\n\n\n\n<p><strong>Use Cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validate AD-based logon activity.<\/li>\n\n\n\n<li>Support incident investigation timelines.<\/li>\n\n\n\n<li>Correlate with centralized security logs (SIEMs).<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Fields:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Domain Controller Name<\/strong><\/li>\n\n\n\n<li>Domain Name<\/li>\n\n\n\n<li><strong>Logon User Name<\/strong><\/li>\n\n\n\n<li><strong>Last Logon Time<\/strong><\/li>\n\n\n\n<li><strong>Last Log Off Time<\/strong><\/li>\n\n\n\n<li><strong>Logon Duration<\/strong><\/li>\n\n\n\n<li>IP Address<\/li>\n\n\n\n<li>Device Type<\/li>\n\n\n\n<li>MAC Address<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Pro Tips<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use filters (e.g., by username or device type) to narrow down specific queries.<\/li>\n\n\n\n<li>Schedule automated exports for regular audits.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"featured_media":0,"parent":2466,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[],"class_list":["post-2530","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/2530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/comments?post=2530"}],"version-history":[{"count":3,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/2530\/revisions"}],"predecessor-version":[{"id":2953,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/2530\/revisions\/2953"}],"up":[{"embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/docs\/2466"}],"wp:attachment":[{"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/media?parent=2530"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/zecurit.com\/help\/wp-json\/wp\/v2\/doc_tag?post=2530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}