When investigating failed authentications, I ended up finding traffic that I had never seen in our environment before. A user was successfully logging in from the company's IP, but had some failures from an outside IP address. I did find that there had been a successful login from the outside address, though. That log showed me that the user logged in from an outside network laptop. I ended up finding that the user is a contractor using a contractor company laptop to log into our environment and then access a VM on our network. I thought that was so interesting to discover and it was a relief that this was expected activity.