Obviously, test right before and just after patching. You have to be within the pattern of checking the login/logout situations of people. Commonly a location Look at will do. Personally, I just look for anything at all out of the standard. As an example, a VPN person logging in at 2 PM from unrecognized IP deal with need to be a crimson flag. It i