How to find the source IP of 4776 events?

%3CLINGO-SUB%20id%3D%22lingo-sub-1101024%22%20slang%3D%22en-US%22%3EHow%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101024%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20Azure%20ATP%20help%20me%20in%20identifying%20the%20source%20IP%20of%20a%204776%20event%20(%3CSPAN%3EThe%20domain%20controller%20attempted%20to%20validate%20the%20credentials%20for%20an%20account)%3F%3CBR%20%2F%3ENow%20often%20there%20is%20no%20source%20(IP%2Fcomputer)%20information%20at%20all%2C%20or%20it%20shows%20something%20generic%20such%20as%20%22Workstation%22%20but%20having%20the%20IP%20address%20where%20the%20request%20was%20coming%20from%20would%20help%20a%20lot.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%20Azure%20ATP%20is%20capturing%20the%20traffic%20on%20the%20DCs%20NIC%20I%20would%20expect%20that%20it%20can%20report%20something%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI'll%20guess%20that%20the%20'old'%20way%20of%20figuring%20out%20such%20things%20would%20be%26nbsp%3B%3C%2FSPAN%3Eto%20put%20the%20DCs%20in%20netlogon%20logging%20mode%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F109626%2Fenabling-debug-logging-for-the-netlogon-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F109626%2Fenabling-debug-logging-for-the-netlogon-service%3C%2FA%3E%26nbsp%3Bbut%20maybe%20there's%20an%20easier%2Fbetter%20way%20now%20with%20Azure%20ATP%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDuncan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1102108%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1102108%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F125308%22%20target%3D%22_blank%22%3E%40Duncan%20de%20Waal%3C%2FA%3E%26nbsp%3BTurn%20on%20event%26nbsp%3B8004.%20this%20will%20allow%20AATP%20to%20show%20you%20more%20data.%3C%2FP%3E%0A%3CP%3Esee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-windows-event-collection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1104858%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1104858%22%20slang%3D%22en-US%22%3EThanks%20Eli%2C%20let%20me%20check%20if%20that's%20enabled%20already%20or%20not.%20Do%20I%20understand%20you%20correct%20that%20this%20would%20show%20the%20source%20IP%20of%20where%20the%20logon%20attempt%20was%20originating%20from%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1106044%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106044%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F125308%22%20target%3D%22_blank%22%3E%40Duncan%20de%20Waal%3C%2FA%3E%26nbsp%3BNormally%20yes%2C%20but%20it%20might%20miss%20a%20few%2C%20as%20not%20all%20the%20info%20might%20be%20available%20at%20all%20time%20from%20the%20OS%20due%20to%20various%20reasons%2C%20but%20it's%20surely%20recommended%20to%20turn%20this%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231773%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231773%22%20slang%3D%22en-US%22%3EIs%20there%20a%20documentation%20explaining%20how%20to%20mitigate%20missing%20events%3F%20It%20seems%20odd%20that%20Windows%20is%20unable%20to%20capture%20the%20source%20IP%20of%20all%20authentication%20attempts.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232709%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F520442%22%20target%3D%22_blank%22%3E%40truekonrads%3C%2FA%3E%26nbsp%3B%2CI%26nbsp%3B%20don't%20know%20about%20the%20specific%20issues%20that%20might%20cause%20that%2C%20only%20that%20I%20have%20heard%20such%20edge%20cases%20happen%20in%20complicated%20AD%20scenarios.%20in%20addition%20to%20that%2C%20ATP%20needs%20to%20do%20event%20correlation%2C%20based%20on%20sliding%20windows%2C%20while%20this%20gives%20very%20good%20results%2C%20it's%20not%20perfect%2C%20so%20in%20edge%20cases%20we%20might%20not%20be%20able%20to%20correlate%20the%20events%20correctly%20and%20won't%20be%20able%20to%20match%20the%20events%20to%20provide%20full%20data.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general.%20if%20you%20enabled%20all%20the%20suggested%20events%2C%20you%20are%20in%20a%20good%20state%20ATP%20wise.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1560071%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1560071%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue%20as%20yours%2C%20no%208004%20event%20generated.%20Did%20you%20fix%20your%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570741%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20find%20the%20source%20IP%20of%204776%20events%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F743211%22%20target%3D%22_blank%22%3E%40NaturelDragon%3C%2FA%3E%26nbsp%3BNot%20sure%20if%20this%20helps%2C%20but%20the%208004%20events%20don't%20get%20logged%20to%20the%20Security%20Log%2C%20it%20took%20me%20a%20while%20to%20figure%20it%20out%2C%20instead%20they%20are%20in%20the%20windows%20%26gt%3B%20NTLM%20%26gt%3B%20Operational%20log.%20All%20the%20docs%20about%20this%20don't%20mention%20where%20the%20event%20gets%20generated%20and%20obviously%20everyone%20just%20assumes%20it%20will%20be%20in%20the%20Security%20log%20with%20the%20reset%20of%20the%20Audit%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Can Azure ATP help me in identifying the source IP of a 4776 event (The domain controller attempted to validate the credentials for an account)?
Now often there is no source (IP/computer) information at all, or it shows something generic such as "Workstation" but having the IP address where the request was coming from would help a lot.

As Azure ATP is capturing the traffic on the DCs NIC I would expect that it can report something?

I'll guess that the 'old' way of figuring out such things would be to put the DCs in netlogon logging mode; https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service but maybe there's an easier/better way now with Azure ATP?

Thanks

Duncan

7 Replies
Highlighted
Highlighted
Thanks Eli, let me check if that's enabled already or not. Do I understand you correct that this would show the source IP of where the logon attempt was originating from?
Highlighted

@Duncan de Waal Normally yes, but it might miss a few, as not all the info might be available at all time from the OS due to various reasons, but it's surely recommended to turn this on.

Highlighted
Is there a documentation explaining how to mitigate missing events? It seems odd that Windows is unable to capture the source IP of all authentication attempts.
Highlighted

@truekonrads ,I  don't know about the specific issues that might cause that, only that I have heard such edge cases happen in complicated AD scenarios. in addition to that, ATP needs to do event correlation, based on sliding windows, while this gives very good results, it's not perfect, so in edge cases we might not be able to correlate the events correctly and won't be able to match the events to provide full data. 

In general. if you enabled all the suggested events, you are in a good state ATP wise.

Highlighted

I have the same issue as yours, no 8004 event generated. Did you fix your issue?

@NaturelDragon Not sure if this helps, but the 8004 events don't get logged to the Security Log, it took me a while to figure it out, instead they are in the windows > NTLM > Operational log. All the docs about this don't mention where the event gets generated and obviously everyone just assumes it will be in the Security log with the reset of the Audit messages.