That question is pretty broad, do you have a specific example of what you're looking for? I would say logon failures in a way. The LEM normalizes the data that is being generated by your system, so it's legitimate events, but you would see Inferred Incidents reported for multiple logon failures, say in 30 seconds, that may trigger additional alerting depending on your rules. This could be an attack, or it could be someone changed a service account password and hasn't updated the appropriate configs yet (tools, scripts, network shares, etc). You would have to dig into the data to find out why it's happening, where it's happening and then resolve it so that you don't get those events.
↧