Forum Discussion
How to find the source IP of 4776 events?
MicrosoftDuncan de Waal Normally yes, but it might miss a few, as not all the info might be available at all time from the OS due to various reasons, but it's surely recommended to turn this on.
- Is there a documentation explaining how to mitigate missing events? It seems odd that Windows is unable to capture the source IP of all authentication attempts.
I have the same issue as yours, no 8004 event generated. Did you fix your issue?
NaturelDragon Not sure if this helps, but the 8004 events don't get logged to the Security Log, it took me a while to figure it out, instead they are in the windows > NTLM > Operational log. All the docs about this don't mention where the event gets generated and obviously everyone just assumes it will be in the Security log with the reset of the Audit messages.
- EliOfek
truekonrads ,I don't know about the specific issues that might cause that, only that I have heard such edge cases happen in complicated AD scenarios. in addition to that, ATP needs to do event correlation, based on sliding windows, while this gives very good results, it's not perfect, so in edge cases we might not be able to correlate the events correctly and won't be able to match the events to provide full data.
In general. if you enabled all the suggested events, you are in a good state ATP wise.
