Security log audit failure 4776: Logon Account: status-check
I've got a strange one for you. We have Azure VPN Gateway connecting our local network; all servers and file shares are in the cloud. Everything works fine. I have logon auditing enabled and I have a scheduled task running that emails me whenever there is a 4776 error generated in the security log of the domain controller. We have a Sonicwall firewall and we use NetExtender SSL VPN on port 4433 for remote users (with NPS and Authenticator for 2FA) . There is a logon account with the name "status-check" that randomly tries to logon to our domain. By checking the Sonicwall log I found the source of this logon is the same IP as our Azure VPN gateway. I set a firewall rule to block the IP from accessing port 4433 and that reduced the number of attempts from dozens in a row down to less than ten at a time. However it still happens several times a week. I cannot pin down where it is coming from or what port it is going through; the 4776 error does not show a workstation name or any other detail and the netlogon file does not show any detail either. It appears to be coming through the site-to-site VPN though. What is going on here? I can't be the only IT guy that sees this "status-check" trying to log on but Google does not hit anything on it.