Problem: If you’ve received an alert for ACTIVE DIRECTORY | COMPUTERS WITH ANOMALOUS LOGIN ACTIVITY, the steps below will walk you through remediation and investigation steps.
Steps to Resolution
Cause
This alert will appear if a user or service account attempts to login to a system and has a failed logon event.
This alert will show the systems with the bad logon event but it doesn’t currently return the user account that may have caused the event.
Investigation
In the actionable alert you should see a list of systems that have a bad logon count > 0 See screenshot
You will want to login to the Active Directory server that this alert came from, Then open Powershell and run the below command. Replacing SYSTEMNAME with the name of the system in the alert
Get-ADComputer -Identity SYSTEMNAME -Properties BadLogonCount | Select-Object -Property BadLogonCount
You should see the value of the bad logon count for the system show a value greater than 0
Resolution
Once there is a successful user or service account login to the device this count should reset on the AD server
Items to consider
If you have a system that is continuing to appear in the alert and you confirm the bad logon count is 0 for a time then increases again, their may be a service trying to login with an expired password
If you have successful logins but the AD server continues to see a bad logon count more than 0 this may be due to sync or replication settings of the AD environment.
Outcome: .The above should give a better understanding of the Anomalous login alert and the steps needed to resolve.
Alternatives: If you have any questions or run into any issues please reach out to Support.
For more information, please visit Microsoft's Documentation.