Like Andy I've been using Splunk to track this info do in various ways. Here is one method (removed Domain Name, just replace with your own). Splunk is great for finding this... getting app owners to "care/update" is what is channeling 🙂
sourcetype=WinEventLog EventCode=2889 ComputerName=*.DOMAINFQDN
| rex field=Message "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=Message "(?<username>.*DOMAIN\S.*)"
| rex field=Message "Binding Type:\s*(?<binding_type>[\d]+)"
| table ComputerName, ip, username, binding_type
| dedup ip
another:
sourcetype=WinEventLog EventCode=2889
| rex field=Message "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=Message "Binding Type:\s*(?<binding_type>[\d]+)"
| rex field=Message "Identity the client attempted to authenticate as:\s*(?<username>.*\S.*)"
| table ComputerName, ip, username, binding_type
| dedup ip