@Hrishikesh Tak
When looking at Event Log 4776 (credential validation), The Source Workstation is the VM/PC that you signed in with, and not the actual VM you're using. As you can see in my below examples:
I RDP'd to jatranVM001 with a VMSS (jatran-vm00000E). From the screenshot, you can see that the Source Workstation was the VMSS I used to connect with. While the Computer name is the actual VM I'm connecting to/working on (jatranVM001).
VMSS to jatranVM001
I tested this scenario multiple times just to confirm my findings:
Laptop to jatranVM001
jatranVM001 to jatranVM001
When it comes to the RecordID, I didn't see it within the Event logs themselves, as you can see in my screenshot it only shows "Event ID". However, I'd assume that it's the ID for the actual event log record.
-When you go the event logs themselves, are you able to see that RecordID?
You can get to the logs by: Connecting to your VM -> Right click Windows Logo -> Select Event Viewer -> Windows Logs -> Security -> Filter for Event 4776
Please let me know if you have any other questions regarding this issue.
Thank you for your time and patience!
4776(S, F): The computer attempted to validate the credentials for an account.