Particular user has by far the most UserLogonFailure Logs.

kmcgowan

Looking at "Failed Logons by DestinationAccount" from the dashboard, this one user has many failures per hour, all day and night. There are also successful logins as this is an enabled and active user account.  My question is, "Is there a misconfiguration somewhere?"   Not being an exchange expert, my out in the weeds guess to recycle an Exchange app pool.  But I'd like to know what could be going on here if anyone has an idea or has seem this before.  Details below have been altered for privacy. 

• Event Type
  UserLogonFailure
• EventInfo
  Logon Failure "domain\user"
• DetectionIP
  EXCHANGE.domain
• ToolAlias
  Vista Security
• ProviderSID
  Microsoft-Windows-Security-Auditing 4625
• LogonProcess
  Advapi
• InsertionTime
  2020-10-29 16:07:36
• Manager
  NAMELEM
• SourceDomain
  DOMAIN
• DetectionTime
• 2020-10-29 16:07:35
• ExtraneousInfo
  SourcePort: 50418; Call-ProcessName: C:\Windows\System32\inetsrv\w3wp.exe;
• DestinationAccount
  user
• DestinationMachine
  EXCHANGE.domain
• AuthPackage
  Negotiate
• FailureCount
  1
• DestinationDomain
  domain
• SourceAccount
  EXCHANGE$
• LogonType
  Windows: Network Cleartext Logon
• Severity
  4
• SourceLogonID
  0x3e7
• FailureReason
  Unknown user name or bad password.
• InsertionIP
  EXCHANGE.domain
• ManagerTime
  2020-10-29 16:07:36
• SourceMachine
  IP address

vitezslav.papiez

Hello,

I am glad you reached out. This is the example where SEM plays the key role. Identify the potential threat and visualize where, who and when tries to get into your system. 

I did a little bit of searching on the Internet and based on the discussion, the process can be used by a malicious code - malware. There were some recommendation made to do deep scans of your system to make sure that it is virus free. 

I am sorry that I did not point you directly to the solution. 

V*