How do you have your LEM alert you of after hour logins?The default template yielded no responses when tested and when I expanded it to just "logon" and "Source Domain" We received a few hundred emails in the course of 20 minutes.
The email rush was from service accounts and automated vendor accounts.I could have it ignore those, but we got reports from people who had left for the day but their workstation was locked.We also got messages from people who get their email on their mobile.
Below is a screenshot of my after hours logon rule. I have listed all of our service accounts in the Service Account user-defined group, so that we do not get false positives. I hope this helps.
