Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Oct 07, 2021
Solved

Microsoft Defender 365 Alert issue

Hi,

 

I need some help clarifying some Logs I'm looking at.

I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.

So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?

 

Thanks

microsoft defender for endpoint
  • Trevor_Rusher's avatar
    Trevor_Rusher
    Oct 08, 2021
    Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!
  • Trevor_Rusher's avatar
    Trevor_Rusher
    Icon for Community Manager rankCommunity Manager
    Oct 08, 2021
    Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!

Resources