Every Windows PC in your office is generating a constant stream of security events. Someone powered on the accounts machine at 7 AM. A wrong password was entered on the reception desk twice at 11 PM. The warehouse terminal went to sleep at 6 PM and woke up at 2 AM with no login attempt. Your main workstation was shut down unexpectedly in the middle of the afternoon.
All of this happened. None of it reached you.
Not because the information wasn’t there — Windows records every single one of these events. But because there’s no one sitting in front of a security console watching it. You’re a small business. You don’t have a sysadmin. You have a business to run.
That’s exactly the gap Login AlertX closes. It watches all 23 security events across every Windows machine in your office and sends them to a single Slack channel, Google Chat space, or Microsoft Teams channel — wherever your team already lives. You don’t go looking for the information. It comes to you.
This guide explains what those 23 events actually are, why each one matters for a business environment, and how to get all of them flowing into one place.
Why “Just Login Alerts” Isn’t Enough
Most people’s mental model of PC security starts and ends with the login. Someone knows the password — they’re in. Someone doesn’t — they’re out.
The reality of how someone actually misuses a computer is messier than that.
A login is just one moment in a machine’s day. What about when an employee locks their screen and walks away — and someone else sits down and unlocks it? What about a machine that gets remotely accessed over the network using credentials from a previous employee? What about a computer that reboots at 3 AM for no obvious reason, which is often the first sign of malware installing updates?
Each of those scenarios has a corresponding event. Login AlertX monitors all of them — 23 in total across three categories — and you choose exactly which ones trigger an alert.
The 23 Events, In Plain English
Here’s everything Login AlertX watches, explained the way it matters to a business owner rather than a security manual.
Category 1: Logins and Authentication (5 Events)
Login — Someone started a Windows session from a fully logged-out state. This is the primary event: a cold boot followed by a password entry, or a user switch. This is what most people picture when they think of “login monitoring.”
First Login — The very first login on that machine for the day. Useful if you want a simple daily check-in signal: “Accounts PC came online at 8:52 AM.” Less noisy than tracking every login if your team logs in and out frequently.
Failed Login — Someone entered the wrong password or PIN. One failed attempt might be a tired employee mistyping. Three failed attempts in quick succession is someone who doesn’t know the password trying to guess it. This event is the difference between knowing and not knowing.
Brute Force — Multiple failed login attempts in a short window, automatically detected. This isn’t someone mistyping — this is systematic. Could be automated. Could be a person determined to get in. Either way, you want to know the moment it starts, not after it succeeds.
Login via Lock — Someone logged into a machine that was previously locked with Windows Key + L. This is a higher-security event than a standard login, because it means someone intentionally secured the workstation beforehand and then someone (the same person, or someone else) came back and unlocked it. If it wasn’t the same person, that’s significant.
Category 2: Sessions and Remote Access (5 Events)
Screen Lock — Someone pressed Windows Key + L and locked their workstation. Useful as a baseline signal: your accounts manager locks their screen every time they step away. If they stop doing that, you might notice.
Screen Unlock — The machine woke from a screensaver or standby and someone entered credentials to return to the session. Different from Login via Lock: this is a lighter event, like coming back from a coffee break when the screen went dark automatically.
Logoff — Someone fully logged out of their Windows account. Useful for tracking end-of-day discipline: did the team actually log out of the shared machine, or just walk away with an active session?
RDP Connect — Someone connected to this machine remotely over the network using Remote Desktop Protocol. This one deserves special attention for businesses. RDP connections are one of the most common vectors for unauthorised access — not physical break-ins, but remote ones using stolen or guessed credentials. If you didn’t expect an RDP connection, you want to know about it immediately.
RDP Disconnect — An active remote connection was terminated. Helps you understand the full picture of a remote session: when it started, when it ended, how long it lasted.
Category 3: Power and System Events (8 Events)
This is the category most businesses overlook entirely, and it’s where some of the most useful signals live.
Powered On — The machine started up and Windows is ready. This tells you when each computer came online every day. If your office opens at 9 AM and a machine powered on at 6:30 AM, that’s worth a look.
Shut Down — The machine was manually shut down or restarted through the Windows interface. A normal event at end of day. Unusual at other times.
Sleep — The machine entered sleep mode. Combined with Resume, this gives you a picture of idle periods during the day.
Hibernated — The machine wrote its memory to disk and fully powered down into hibernation. A deeper state than sleep, more common on laptops.
Resumed — The machine woke from sleep or hibernation and arrived at the Windows lock screen. This is the moment before a login attempt — the machine is active, awaiting credentials.
Sleep Login — Someone woke the machine and successfully entered credentials to return to their session. The combination of Resume followed quickly by Sleep Login shows you the full wake-and-access sequence.
Unexpected Reboot — The system detected that its previous shutdown was unclean. The power cable was pulled. The machine crashed. Windows updates forced a restart without a proper shutdown. This event fires retroactively when the PC next boots and checks its own logs. For servers or always-on machines, an unexpected reboot is a significant event.
What a Day of Alerts Actually Looks Like
Here’s a realistic morning for a small business with three office machines — all feeding into one Slack channel:
08:47 — ACCOUNTS-PC — Powered On
User: Sarah | IP: 103.21.xx.xx | Mumbai
08:49 — ACCOUNTS-PC — Login
User: Sarah | First login of day
09:12 — RECEPTION-DESK — Powered On
User: (awaiting login)
09:14 — RECEPTION-DESK — Login
User: Priya | First login of day
11:30 — ACCOUNTS-PC — Screen Lock
User: Sarah (stepped away)
11:44 — ACCOUNTS-PC — Screen Unlock
User: Sarah (returned)
13:02 — RECEPTION-DESK — Screen Lock
User: Priya (lunch break)
14:55 — RECEPTION-DESK — Login via Lock
User: Priya (returned from lunch)
18:30 — ACCOUNTS-PC — Shut Down
18:41 — RECEPTION-DESK — Logoff
23:14 — ACCOUNTS-PC — RDP Connect
User: Unknown | IP: 185.47.xx.xx | Location: Romania
⚠️ Risk Score: 0.94 — Unusual location, outside working hoursThe first nine entries are background noise you glance at and move on. The last one is the reason you set this up.
One Channel for Every Machine
The reason a single shared channel works better than individual alerts per machine is exactly what that last example illustrates — you see the pattern across machines, not just on one.
When Login AlertX is installed on each PC and all are pointed at the same webhook URL (Slack) or incoming webhook (Google Chat / Teams), every event from every machine lands in the same stream. The machine name in each alert tells you which computer it came from.
This means:
- You see if multiple machines get probed in the same night
- You notice if one machine is never properly logged out at end of day while others are
- You catch the contrast between normal daily activity and something that happens outside it
No dashboard to check. No separate inboxes per machine. One channel. One place.
Setting Up the Channel — Your Three Options
Slack works through an Incoming Webhook. You create a webhook URL in Slack’s API settings, point it at your #office-security channel, paste it into Login AlertX on each machine. Every machine sends to that same URL, and every alert lands in the channel.
Microsoft Teams works through a similar incoming webhook setup in your Teams workspace. Create a webhook in the channel settings, copy the URL, paste it into Login AlertX. Done.
Google Chat uses Google Chat’s Incoming Webhooks feature. In your Google Chat space settings, add an app, choose “Incoming Webhook,” copy the URL. Same process.
All three integrations are available as plugins through Login AlertX, each a one-time purchase that works alongside any plan. The setup guide for each is in the Login AlertX documentation.
Choosing Which Events to Turn On
You don’t have to — and probably shouldn’t — turn on all 23 events for every machine from day one.
A practical starting point for most small businesses:
Turn on immediately (Free plan):
- Login
- First Login
Add these on Premium to start building real awareness:
- Failed Login
- Brute Force
- RDP Connect / RDP Disconnect
- Powered On
- Unexpected Reboot
Add based on your situation:
- Logoff — if you have staff on shared machines who should be logging out properly
- Screen Lock / Unlock — if you have high-access machines like finance or HR where you want granular visibility
- Sleep Login — if you have laptops that leave the office and you want to track when they’re accessed
Use Notification Scheduling to reduce noise:
Login AlertX lets you set a time window for alerts. If your office runs 9 AM to 7 PM, you might only want after-hours alerts — events between 7 PM and 9 AM get priority, daytime events get logged but don’t ping you. That way the channel isn’t full of routine morning logins, and you immediately notice when something outside normal hours arrives.
What Happens When Something Looks Wrong
The alert arrives in your channel. What then?
For most events, the answer is nothing — you read it, it matches what you’d expect, you move on.
For a high-risk event — an RDP connection from an unexpected location, a brute-force attempt, an after-hours login — here’s the immediate response that matters:
Step 1: Check the machine name and username. Do you recognise the user account? Is the machine one that should be accessible remotely?
Step 2: Check the IP and location. Login AlertX includes geolocation in every alert. If the location is a country you’ve never done business with, that’s a signal.
Step 3: Check the risk score. Premium accounts get an AI-assigned risk score from 0 to 1 based on how unusual the event is compared to that machine’s normal patterns. A score above 0.70 triggers a priority alert automatically.
Step 4: Act. If it looks wrong, change the password for that user account immediately. Disable Remote Desktop on the machine if you’re not actively using it. Disconnect the machine from the network if you can. Then investigate from there.
The key is that you’re doing this within minutes of the event, not discovering it weeks later when the damage is already done.
The Honest Answer to “Do I Really Need This?”
Most small businesses will go years without a serious security incident on their office PCs. The bad outcome everyone imagines — an external hacker remotely accessing your machine — is real but not the most common scenario.
The more common scenario is subtler: a former employee accessing a machine with a Windows account that was never removed. A contractor doing something on a shared machine that they shouldn’t have. A family member of the office manager sitting down at the work PC and opening things they shouldn’t. An unexpected reboot that turns out to be malware silently installing itself.
None of those are dramatic. None of them feel like “hacking.” But all of them leave a trace — in the login logs, the failed attempts, the unexpected reboots — that you currently have no way of seeing.
Login AlertX makes those traces visible. And once you’ve seen them once, you can’t un-know that they were always there, just quietly happening without you.
Download Login AlertX Free — Windows 7 through 11 · Runs silently as a background service · All data stays on your machine