Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Microsoft Defender 365 Alert issue

Iron Contributor

Hi,

 

I need some help clarifying some Logs I'm looking at.

I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is: Successful logon from known brute-force source on one endpoint.

So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.
I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.
So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?
Does this mean that this machine is compromised and being used for lateral movement?
Or any other plausible explanation for a network logon being done from an external IP?

 

Thanks

1 Reply
best response confirmed by dmarquesgn (Iron Contributor)
Solution
Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!
1 best response

Accepted Solutions
best response confirmed by dmarquesgn (Iron Contributor)
Solution
Hey David! Just moved your discussion to the Microsoft 365 Defender space where you're more likely to get an answer. Thanks!

View solution in original post