Need help understanding message in "Suspicion of identity theft based on abnormal behavior" RRS feed

  • General discussion

  • We got this alert and it indicated that a user's account had "Performed interactive login from 2 abnormal servers".  The user said they hadn't.  Looking at the two servers, there are no directories for the user in C:\Users\.  Looking in the event logs on the two servers, there don't appear to be logons with that user's account.  Are there any more details to be gleaned from ATA that would help us figure this out?
    Thursday, November 8, 2018 1:44 PM

All replies

  • Hello,

    You can refer to the ATA suspicious activity guide.

    Best regards,

    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 9, 2018 6:42 AM
  • Hi,

    Interactive logon in ATA means Logon type 2.

    Did you look for event 4624 on both servers?



    Sunday, November 11, 2018 11:49 AM