Forum Discussion
Explanation about this Azure ATP alert on Domain Controller
Hello, I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names: non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013 ...
I guess this means someone tried to logon with the account domain\system on your domain controller...
Important to analyze this, would be, how many times did this event occur and from where was the logon attempt originating.
It can be someone is just checking if that account exists in your domain, or someone who just mistyped...
All relates to the other events...
But that's my opinion 😉