Forum Discussion

Tali Ash's avatar
Tali Ash
Icon for Microsoft rankMicrosoft
Sep 24, 2019

Enriched NTLM authentication data using Windows Event 8004

Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the ne...
LoicMichel's avatar
LoicMichel
Copper Contributor
Hi, did you ever find a solution to events 8004 not being generated? I'm in the same situation.
Regards
Loic
Andy Loy's avatar
Andy Loy
Copper Contributor
Dec 02, 2020

LoicMichel 

 

Hi can I just add an additional question to this if I may.... 

 

Is there any pre-considerations around enabling for eventid 8004 on live DC's? 

 

Such as: 

 

1. Potential volume of event logs and potential knock on - local event ID file size/frequency of log overwrites?

2. DC local performance concerns once enabled? 

3. If using other complementary log forwarding solution (e.g. ATP Defender for Server) - knock on log volume ingestation to Log Analytics/Sentinel. 

 

Thanks in advance 

 

Andy  

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Dec 03, 2020

    Andy Loy 
    1. I guess you should see an event for every 4776 you currently have.
    It goes to a separate log,  not the default security log.

    2. Never heard a report about a significant performance issue due to turning this on.

    3. Can't tell. I guess you can estimate from answer #1 the increase, if at all this info will go there, as I mentioned, its a separate log.

Resources