Hi,
I would recommend you use Netmon/wireshark tool to monitor if there are any brute/dictionary attack coming from the outside.
For more advice , you can refer to the following link, hope it would be helpful.
https://social.technet.microsoft.com/Forums/ie/en-US/8dd4375a-48c4-43d7-8e33-87324de9ecf5/transitive-network-logon-attack?forum=winserverDS
Best Regards,