I think this should be triggered from the SIEM. Especially if you're collecting logs from all servers in to the one source. AATP/ATP would only trigger this from a DC, but your SIEM would trigger it from anywhere that is sending the logs.