Merge pull request #9942 from rathbuna/patch-2

Update event-4776.md
2025-06-17 11:23:45 +00:00 · 2021-09-16 08:45:12 -07:00
parent 1d3b786005 24ccda538c
commit aebb5f45f3
1 changed files with 15 additions and 15 deletions
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/13/2021
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@ -116,7 +116,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 | 0xC0000193 | Account logon with expired account.                                                                                                                                                                                                                                                       |
 | 0xC0000224 | Account logon with "Change Password at Next Logon" flagged.                                                                                                                                                                                                                               |
 | 0xC0000234 | Account logon with account locked.                                                                                                                                                                                                                                                        |
-| 0xc0000371 | The local account store does not contain secret material for the specified account.                                                                                                                                                                                                       |
+| 0xC0000371 | The local account store does not contain secret material for the specified account.                                                                                                                                                                                                       |
 | 0x0        | No errors.                                                                                                                                                                                                                                                                                |

 > Table 1. Winlogon Error Codes.
@ -126,7 +126,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 For 4776(S, F): The computer attempted to validate the credentials for an account.

 | **Type of monitoring required**     | **Recommendation**          |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|-----------------|---------|
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts.        |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used.   |
@ -143,7 +143,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
 -   Consider tracking the following errors for the reasons listed:

 | **Error to track**  | **What the error might indicate**   |
-|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+|----------|----------------|
 | **User logon with misspelled or bad user account**  | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
 | **User logon with misspelled or bad password**      | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
 | **User logon outside authorized hours**             | Can indicate a compromised account; especially relevant for highly critical accounts.  |