I have got 7 brute force alert signal, where all the attacker IP belongs to internal ips and victim is AD server. On further investigation, i have not found any bad credentials from the AD logs.
As per the workbook if more than 50 attempts are happening in 15 minutes than signal has to be generated. but the same should reflect on the AD as well. We have the account lockout policy in place. to block the account for 15 minutes after 3 failed attempts
Plz suggest how to investigate further.