Microsoft Defender 365 Alert issue

dmarquesgn · ‎Oct 07 2021

Hi,

I need some help clarifying some Logs I'm looking at.

I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.

So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?

Thanks

dmarquesgn · ‎Oct 08 2021

Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!

dmarquesgn · ‎Oct 08 2021

Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!

View solution in original post

Microsoft Defender 365 Alert issue

Microsoft Defender 365 Alert issue

RE: Microsoft Defender 365 Alert issue

RE: Microsoft Defender 365 Alert issue

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Microsoft Defender 365 Alert issue