Forum Discussion
Enriched NTLM authentication data using Windows Event 8004
Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the ne...
EliOfek
Microsoft
MicrosoftAndy Loy
1. I guess you should see an event for every 4776 you currently have.
It goes to a separate log, not the default security log.
2. Never heard a report about a significant performance issue due to turning this on.
3. Can't tell. I guess you can estimate from answer #1 the increase, if at all this info will go there, as I mentioned, its a separate log.
Thanks Eli - Can I just follow on from your answer:
"1. I guess you should see an event for every 4776 you currently have.
It goes to a separate log, not the default security log."
I foundhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 that seems to suggest eventID 4776 is logged to Security event log??
- Apols - misread your response @eli - you where implying 8004 eventIDs are logged to different log file location, as per https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
Thanks for your response and assistance! Appreciated.