title: LP_0107_windows_audit_credential_validation
default: Configured
volume: High # on domain controllers. Low on member servers and workstations.
description: >
  Audit Credential Validation determines whether the operating system 
  generates audit events on credentials that are submitted for a user 
  account logon request
eventID:
  - 4774 # (S, F): An account was mapped for logon
  - 4775 # (F): An account could not be mapped for logon
  - 4776 # (S, F): The computer attempted to validate the credentials for an account
  - 4777 # (F): The domain controller failed to validate the credentials for an account
references:
  - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-credential-validation.md
configuration: |
  Manual steps to implement logging policy:

  ```
  Computer Configuration >
  Windows Settings >
  Security Settings >
  Advanced Security Audit Policy Settings >
  Audit Policies >
  Account Logon >
  Audit Credential Validation (Success,Failure)
  ```