Jul 24 2019 05:04 AM - edited Jul 24 2019 05:04 AM
I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.
