we were hit with a brute-force attack on our exchange server last week but ATA did not detect anything wrong. should it have warned me that a single IP address was logging into our exchange server (via OWA) all day and night with different user accounts?
How many different accounts were attempted ? how many of them were existing accounts?
during which time span?
The fact that this was a single IP with many attempts would not alone trigger an alert or we would have alerted on many false positives... Answers to above questions might give more clarity about what happened...