Windows Discovery will create MID server credential login event on Windows target.This is by product Design. Windows Discovery will run WMI commands on MID server side, and this behavior will let target create related events. this is the expected behavior for Windows auditing of such commands.Their documentation indicates that these audit entries should be ignored. Please see:https://docs.microsoft.com/en-US/troubleshoot/windows-client/system-management-components/failed-logon-event-when-running-remote-wmi