I am not sure if you understood my question well.. This IP address is being used to log in to the exchange server we use.. This is one of the many.. I suspect this is an attack because the IP is fraudulent according to the web services i used to check it.. And not all the domain users are used...
Hello dear friends. I wanted to ask you about some logs that from my exchange server which i catch with qradar. They are all with qid: 5000830 or eventid:4624 which is a successful login to a server or anything. I use a rule which tells me if someone logs in to the exchange server from an...