How to find the real source IP of a Event 4776 generated from a public Exchange Mapi URL https://mail.xxxx.yy/mapi/
Hi,
I am struggling trying to find the real source of a bunch of authentication attempts (brute force) that I just discovered in our environment.
I did my own test connecting to our public URL https://mail.xxxxxx.yyy/mapi/ using my 4G phone , using wrong credentials.
the event 4776 logged in our DC server is the following
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=Dc.xxxx.yyy
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=1450342160
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: test4g
Source Workstation: localhost
Error Code: 0xC0000064
I tried to find traces in our Exchange IIS logs and I dont find any entry, I checked and the logging is enabled, format W3C. we have onprem exchange 2016.
maybe I need to enable some settings for deeper logging?
Thanks a lot.