Disabled Guest Account Successfully Logged in. Is this activity normal?

TLDR: Windows Server logs shows successful login with a disabled Guest account. Can someone explain this activity?

In our SIEM, I saw the following event below from our Windows 2016 Server (not a DC).

{
    "TimeCreated":"2023-05-19T16:09:24.690239100Z",
    "EventID":"4624",
    "Task":12544,
    "Correlation":
        {
            "ActivityID":"{35d37f4c-fa11-4b8b-a9f3-b622a0c3206f}"
        },
    "Keywords":"Audit Success",
    "Channel":"Security",
    "Opcode":"Info",
    "Security":"",
    "Provider":
        {
            "Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}",
            "Name":"Microsoft-Windows-Security-Auditing"
        },
    "EventRecordID":1047382761,
    "Execution":
        {
            "ThreadID":3388,
            "ProcessID":712
        },
    "Version":2,
    "Computer":"Win Server 2016",
    "Level":"Information",
    "EventData":
        {   
            "WorkstationName":"workstation 1",
            "TargetDomainName":"NT AUTHORITY",
            "VirtualAccount":"%%1843",
            "SubjectUserSid":"S-1-0-0",
            "TargetOutboundDomainName":"-",
            "LogonProcessName":"NtLmSsp",
            "TargetLinkedLogonId":"0x0",
            "ImpersonationLevel":"%%1833",
            "TargetUserName":"ANONYMOUS LOGON",
            "TargetUserSid":"S-1-5-7",
            "IpAddress":"10.5.5.5",
            "ProcessId":"0x0",
            "KeyLength":"128",
            "ProcessName":"-",
            "SubjectUserName":"-",
            "LogonType":"3",
            "TargetOutboundUserName":"-",
            "TransmittedServices":"-",
            "LogonGuid":"{00000000-0000-0000-0000-000000000000}",
            "SubjectLogonId":"0x0",
            "ElevatedToken":"%%1843",
            "RestrictedAdminMode":"-",
            "TargetLogonId":"0x230fd0bae",
            "IpPort":"57627",
            "AuthenticationPackageName":"NTLM",
            "LmPackageName":"NTLM V1",
            "SubjectDomainName":"-"
        },
    "Message":"An account was successfully logged on."
}

From the image above here is what I'm observing:

1. Successful login noted via eventid 4624
2. Username used to login was Anonymous logon as indicated by SID S-1-5-7
3. The redacted Ip address in this case is internal (not an external address)
4. Logon type is 3 indicating a network type of logon
5. The redacted "Computer" in this case is the server that produced this event. This is the server that's being logged into. This isn't an AD server.
6. The redacted WorkstationName, from my digging, is a laptop.

From there, I did some additional research as to why I'm seeing "successful" anonymous logins and ran into this article. The article states that an anonymous logon from an external address to a server that has RDP or SMB open publicly could potentially be benign.

Liste below are some differences from the article and some findings I've had post review:

• The server is not open to the public and the source address is internal
• I was not able to find corresponding event id 4625s
• I was able to find some corresponding 4624s with \domain\username but the numbers don't match. For example, I have 10 event id 4624 with anonymous logon but only 5 eventid 4624 with actual \domain\username that line up with the date/time. This means that there are 5 other eventid 4624s that don't have \domain\username.

The question is, does anyone have an explanation of this activity?