locked
Need help understanding message in "Suspicion of identity theft based on abnormal behavior" RRS feed

 > 

  • General discussion

  • Discussion
    Sign in to vote
    0
    Sign in to vote
    We got this alert and it indicated that a user's account had "Performed interactive login from 2 abnormal servers".  The user said they hadn't.  Looking at the two servers, there are no directories for the user in C:\Users\.  Looking in the event logs on the two servers, there don't appear to be logons with that user's account.  Are there any more details to be gleaned from ATA that would help us figure this out?
    Thursday, November 8, 2018 1:44 PM

All replies

  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Hello,

    You can refer to the ATA suspicious activity guide.

    Best regards,

    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 9, 2018 6:42 AM
  • Discussion
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Interactive logon in ATA means Logon type 2.

    Did you look for event 4624 on both servers?

    Thanks,

    Tali

    Sunday, November 11, 2018 11:49 AM