Is it required to monitor Event 4776 Expand / Collapse
Author
Message
Posted 9/14/2018 8:00:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2018 3:50:58 AM
Posts: 1, Visits: 0
Hello Guys,
We are receiving tons of events for EVID 4776, our SIEM Admin asked us if we can exclude this event id from monitoring. What are your suggestions? Should we monitor Events for EVID 4776 and what are the recommendations for monitoring this event. Can we exclude this event in any situation. Please suggest. We don't want to miss any important event but if this event is similar to Events 4624 & 4625 and gives same information about use success and failed logins, then can we ignore this event or not? Need your valuable suggestions.
Post #8502
Posted 9/29/2018 7:25:52 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
This event identifies failed or successful NTLM authentication attempts so in my opinion it is very important. In the case of NTLM Domain authentication attempts this my be the only indication of failed authentication attempts in your environment if you are not logging workstation logon events. Also, not every authentication attempt is associated with a logon. Authentication can be used for various services and access. I would take a look at the events and try to troubleshoot failure type 4776 that are showing high numbers and attempt to troubleshoot the issue. Sometimes there is a rogue script that everyone forgot about.
Post #8507
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:42am