Event Details

Event TypeAudit Credential Validation
Event Description4776 : The computer attempted to validate the credentials for an account.
Event ID4776

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm Default LogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>, <tag3>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ProcessidN/AN/A
ChannelN/AN/A
Computer<dname><dname>
InterfaceNameN/AN/A
IdentityN/AN/A
TargetUserName<login><domainorigin>, <tag1>, <login>
TargetDomainNameN/AN/A
SubjectUserNameN/AN/A
SubjectDomainNameN/AN/A
SubjectLogonIdN/AN/A
ReasonCodeN/AN/A
ReasonTextN/AN/A
ErrorCode<tag2>N/A
serviceNameN/AN/A
WorkStation<sname>N/A
statusN/A<status>, <tag2>
FailureCodeN/AN/A
AccountNameN/AN/A
AccountDomainN/AN/A
ResultN/ACodeN/AN/A
IpAddressN/AN/A
Ip PortN/AN/A
statusN/AN/A
FailureCodeN/AN/A
Pre-Authentication TypeN/AN/A
AccountNameN/AN/A
AccountDomainN/AN/A
Result CodeN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1004625EVID 4776 : Remote LogonBase RuleUser LogonAudit: Authentication Success
EVID 4776 : Remote Logon SuccessSub RuleUser LogonAuthentication Success
EVID 4776 : Remote Logon - AdminSub RuleUser LogonAuthentication Success
EVID 4776 : Failed Rem Logon - User Does Not ExistSub RuleUser Logon Failure - Bad UsernameAuthentication Failure
EVID 4776 : Failed Rem Logon - Bad PasswordSub RuleUser Logon Failure - Bad PasswordAuthentication Failure
EVID 4776 : Failed Rem Logon - Account LockedSub RuleUser Logon Failure - Account Locked OutAuthentication Failure
EVID 4776 : Failed Rem Logon - Account DisabledSub RuleUser Logon Failure - Account DisabledAuthentication Failure
EVID 4776 : Failed Rem Logon - Outside Time LimitsSub RuleUser Logon FailureAuthentication Failure
EVID 4776 : Failed Rem Logon - Workstation RestrictionSub RuleUser Logon FailureAuthentication Failure
EVID 4776 : Failed Rem Logon - Account ExpiredSub RuleUser Logon Failure - Account DisabledAuthentication Failure
EVID 4776 : Failed Rem Logon - Password ExpiredSub RuleUser Logon Failure - Bad PasswordAuthentication Failure
EVID 4776 : Failed Rem Logon - Change PasswordSub RuleUser Logon Failure - Bad PasswordAuthentication Failure
EVID 4776 : Failed Remote Logon - AdminSub RuleUser Logon FailureAuthentication Failure
EVID 4776 : Failed Remote LogonSub RuleUser Logon FailureAuthentication Failure

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011093



















V 2.0 : EVID 4776 : User Logon FailureBase RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Computer Logon SuccessSub RuleComputer LogonAuthentication Success
V 2.0 : EVID 4776 : Bad UserNameSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Bad PasswordSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Expired PasswordSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Disabled AccountSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Expired AccountSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Password Change RequiredSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Locked AccountSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Computer Account Logon FailureSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : User Logon SuccessSub RuleUser LogonAuthentication Success
V 2.0 : EVID 4776 : Bad UserNameSub RuleUser Logon Failure : Bad UsernameAuthentication Failure
V 2.0 : EVID 4776 : Bad PasswordSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4776 : Outside Logon HoursSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Unauthorized WorkstationSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Expired PasswordSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4776 : Disabled AccountSub RuleUser Logon Failure : Account DisabledAuthentication Failure
V 2.0 : EVID 4776 : Expired AccountSub RuleUser Logon Failure : Bad UsernameAuthentication Failure
V 2.0 : EVID 4776 : Password Change RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4776 : Locked AccountSub RuleUser Logon Failure : Account Locked OutAuthentication Failure