I ran this against several of our servers and one of them, our VPN server, had a failed login alert triggered for ~6k failed logins, and the failures showed to be coming from the IP of the GSM VM.
Is this a normal part of the scan? Or do I need to go down the rabbit hole?