Jan 10 2020 02:49 AM
Can Azure ATP help me in identifying the source IP of a 4776 event (The domain controller attempted to validate the credentials for an account)?
Now often there is no source (IP/computer) information at all, or it shows something generic such as "Workstation" but having the IP address where the request was coming from would help a lot.
As Azure ATP is capturing the traffic on the DCs NIC I would expect that it can report something?
I'll guess that the 'old' way of figuring out such things would be to put the DCs in netlogon logging mode; https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service but maybe there's an easier/better way now with Azure ATP?
Thanks
Duncan
Jan 10 2020 11:36 AM
@Duncan de Waal Turn on event 8004. this will allow AATP to show you more data.
see https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-windows-event-collection
Jan 13 2020 05:49 AM
Jan 13 2020 12:54 PM
@Duncan de Waal Normally yes, but it might miss a few, as not all the info might be available at all time from the OS due to various reasons, but it's surely recommended to turn this on.
Mar 16 2020 06:06 PM
Mar 17 2020 07:45 AM
@truekonrads ,I don't know about the specific issues that might cause that, only that I have heard such edge cases happen in complicated AD scenarios. in addition to that, ATP needs to do event correlation, based on sliding windows, while this gives very good results, it's not perfect, so in edge cases we might not be able to correlate the events correctly and won't be able to match the events to provide full data.
In general. if you enabled all the suggested events, you are in a good state ATP wise.
Aug 01 2020 12:15 AM
I have the same issue as yours, no 8004 event generated. Did you fix your issue?
Aug 06 2020 07:24 AM
@NaturelDragon Not sure if this helps, but the 8004 events don't get logged to the Security Log, it took me a while to figure it out, instead they are in the windows > NTLM > Operational log. All the docs about this don't mention where the event gets generated and obviously everyone just assumes it will be in the Security log with the reset of the Audit messages.