Forum Discussion
How to find the source IP of 4776 events?
Can Azure ATP help me in identifying the source IP of a 4776 event (The domain controller attempted to validate the credentials for an account)?
Now often there is no source (IP/computer) information at all, or it shows something generic such as "Workstation" but having the IP address where the request was coming from would help a lot.
As Azure ATP is capturing the traffic on the DCs NIC I would expect that it can report something?
I'll guess that the 'old' way of figuring out such things would be to put the DCs in netlogon logging mode; https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service but maybe there's an easier/better way now with Azure ATP?
Thanks
Duncan
7 Replies
- EliOfek
Microsoft
Duncan de Waal Turn on event 8004. this will allow AATP to show you more data.
see https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection
- Thanks Eli, let me check if that's enabled already or not. Do I understand you correct that this would show the source IP of where the logon attempt was originating from?
- EliOfek
Duncan de Waal Normally yes, but it might miss a few, as not all the info might be available at all time from the OS due to various reasons, but it's surely recommended to turn this on.
