Password spraying, NTLM Brute Force Attack are all too common for anyone running RDP service.
Event ID 4776 logs the authentication attempts in Event Viewer (Windows Logs > Security). Using "microsoft_authentication_package_v1_0". You may find out what the source Network Address (IP) is. Sometimes IPs do not show but only the Source Workstation Name which is often spoofed (fake). You get Audit Failures more than once logged per second quite often when this happens.
Then further investigation is needed by preparing for NTLM auditing. Which is to enable Event ID 8004 logging (Group Policy Management > Forest > Domains > Domain Controllers > right click Default Domain Controllers Policy to Edit...
Then Group Policy Management Editor will open, from there go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options:
- Network security: Restrict NTLM: Audit Incoming Traffic = Enable auditing for all accounts
- Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit all
Then run in command prompt: gpupdate /force
And go to Event Viewer will log 8004 in Application and Services Logs > Microsoft > Windows > NTLM > Operational (right click to select Properties and change log size to 20032 (20MB). Now you can see the log. This log shows you the real device (workstation on the network) that's being targeted. From there, next step investigation can be done: i.e. look for IPs on that victim device that need to be blocked, etc.