locked
credential validation events -> event ID 4776 RRS feed

  • Question

  • When dealing with Event-ID 4776 is ATA interested in failed or successfull (or both) credential validation events ?
    Wednesday, October 11, 2017 1:00 PM

Answers

  • Hello Carsten,

    I think that ATA analyzes the events for both failed and successful credential validation.

    Based on my own understanding, event 4776 is used for enhancing NTLM relevant detection. By analyzing this event, ATA can correlate it with the data collected from network traffic.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 8:55 AM