Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Explanation about this Azure ATP alert on Domain Controller

Copper Contributor


I have checked this alert in Azure ATP timeline. For privacy, I have changed the domain and DC names: 

non-existing account MYDOMAIN\SYSTEM attempted to logon | using Ntlm | against DC01013


Could someone give me a clear idea what it means? Basically, it is not possible to use an account called "system" in the domain. This kind of account is most commonly found on the local machine.



2 Replies

I guess this means someone tried to logon with the account domain\system on your domain controller...

Important to analyze this, would be, how many times did this event occur and from where was the logon attempt originating.

It can be someone is just checking if that account exists in your domain, or someone who just mistyped...

All relates to the other events...

But that's my opinion ;)

Hi @ECuadra ,


I will suggest to turn on 8004 events on your domain controllers, so you will get the full information about the NTLM authentications. Once you will enable this event Azure ATP will show you what is the server the account is trying to access.