I've searched the internet and I still don't understand what it means when NCA\ANONYMOUS LOGON locks and/or unlocks the domain administrator account.
Below is an extract from the event viewer in an easy to read format. Can anyone explain the best way to determine if it is an intrusion attempt or a process, application or service causing this?
An event has occurred in which you are on the notification list.
Time Stamp: 10/23/2019 11:56:45 PM
Perpetrator: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Configuration,DC=***,DC=local
Perpetrator Name: ***\ANONYMOUS LOGON
Event Source Type: Active Directory
Domain Name: ***
Policy Name: AD: User Account Lockouts
Event Name: Object Modified
Event Name Translated: Account unlocked
Originating Server: ***\***-DC01
Originating Server IP: *.*.*.10
Target Host: n/a
Target Host IP: n/a
Class Name: user
Affected Object SID: S-1-5-21-3359379490-2354048252-4260778802-500
Affected Object Account Name: ***\administrator
Operation Successful: True
Operation Status: Success
Blocked Event: False
Perpetrator Sid: S-1-5-7
Originating Client: AUTH:***-DC01
Originating Client Host: ***-DC01.****.LOCAL
Originating Client IP: x.x.x.10
Originating Client Protocol: AUTH
Originating Client MAC: **:**:**:**:**:FF
Events Count: 1
Thanks in advance.