While monitoring SIEM alerts, I saw that there was more than 200 failed logon for a user to several hosts in the domain. Obviously, it was triggered as a brute-force attempt.
Assuming it was not an attack. What are the non-malicious root causes that could trigger such alerts? Considering that a user will not try 200 wrong password manually.