How can I be notified if a user logs in outside of business hours?

Windows logs security event id 4624 whenever a user logs on to a machine. Using the Hour/Day settings in an event log filter, you can receive an email alert if someone logs in outside of normal working hours.

Ensure that 4624 events are being logged to the event log. See the link for more information on auditing requirements.
Create a package and assign it to the hosts where after hours logons should be detected. You can also use an existing event log package such as the "Email Notification" package.
Copy the code shown below into the clipboard.
Click the package in the tree and then click the Paste button in the ribbon.
Add your (email) action to the filter.
Click the Hour/Day tab and adjust the schedule to reflect when you would like an alert. In the example below, you would receive an alert if someone logs in from 6PM to 7AM during the week or any time on Saturday or Sunday.

{
"type": 0,
"active": 1,
"name": "Logon After Hours",
"uuid": "6c9df039-fd75-4f4e-8b5f-9b14931a984d",
"version": 2,
"order": 0,
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 1701601889,
"logs": [ "SEC" ],"severities": [ "AUDITSUCCESS" ],"source": "Microsoft-Windows-Security-Auditing",
"eventid": "4624",
"chainType": 0,
"textfilters": [ { "insertionString": 8,
"comparisonType": 0,
"text": "10",
"type": 1
},{ "insertionString": 8,
"comparisonType": 0,
"text": "2",
"type": 1
}],"threshold": {
"type": 0,
"limit": 0,
"interval": 0,
"intervalScale": 0,
"processBefore": 0,
"processAfter": 0,
"processAfterFirstOnly": 0,
"logImmediate": 0,
"logInterval": 0,
"logSeverity": 0,
"matchType": 1

},"timer": {
"enable": 0,
"interval": 2,
"intervalScale": 1
},"bootBehavior": 0,
"schedule": {
"type": 0,
"behavior": 0,
"nthWeekdayOfMonth": 0,
"schedules": [ "1:1:1:1:1:0:0:18:00:07:00", "0:0:0:0:0:1:1:00:00:00:00"]
}
}