Forum Discussion

Brass Contributor

Jan 10, 2020

How to find the source IP of 4776 events?

Can Azure ATP help me in identifying the source IP of a 4776 event (The domain controller attempted to validate the credentials for an account)? Now often there is no source (IP/computer) informatio...

EliOfek

Microsoft

Jan 10, 2020

Duncan de Waal Turn on event 8004. this will allow AATP to show you more data.

see https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection

Duncan de Waal

Brass Contributor

Jan 13, 2020

Thanks Eli, let me check if that's enabled already or not. Do I understand you correct that this would show the source IP of where the logon attempt was originating from?

EliOfek
Microsoft
Jan 13, 2020
Duncan de Waal Normally yes, but it might miss a few, as not all the info might be available at all time from the OS due to various reasons, but it's surely recommended to turn this on.
- truekonrads
  Brass Contributor
  Mar 17, 2020
  Is there a documentation explaining how to mitigate missing events? It seems odd that Windows is unable to capture the source IP of all authentication attempts.
  - NaturelDragon
    Copper Contributor
    Aug 01, 2020
    I have the same issue as yours, no 8004 event generated. Did you fix your issue?