A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.