we've noticed our admin accounts have been locked several times today due to consecutive failed login attempts to our VM-s.
Most likely, these would have gone through the PA firewall.
I wonder what would be the way to filter huge log, other than destination address?
Would the app id be ms-rdp? Or something newer for Windows 2012 Server and Windows 2016 Server?
There are many ways to connect to a server. MS-RDP is one if they are trying to remote in, if its just MMC connection, then maybe something like ms-ds-smb, ms-netlogon, active-directory, kerberos, etc.
I would say filter your unified logs with the source and destination IP's and see what apps are being used. Usually weird lockouts are caused by phones or tablets, not sure if you allow those accounts via those devices. Other things I have seen cause this are mapped drives after password changes, scheduled tasks, etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!