event 4768 client address ::1

I am getting multiple 4768 events. I know the result code indicates a bad user name, but I am struggling to find out where the request is coming from. Client address is ::1 / port 0. How can I determine from what workstation/service this request is coming from? Event from the DC is:

A Kerberos authentication ticket (TGT) was requested.

Account Information: Account Name: TestUser Supplied Realm Name: mydomain.COM User ID: NULL SID

Service Information: Service Name: krbtgt/mydomain.COM Service ID: NULL SID

Network Information: Client Address: ::1 Client Port: 0

Additional Information: Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: 0xFFFFFFFF Pre-Authentication Type: -

Certificate Information: Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint: