Skip to main content
Skip table of contents

EVID 4768, 4771 : Kerberos Events (Part 1) (Security)

Event Details

Event TypeAudit Kerberos Authentication Service
Event Description
  • 4768(S, F) : A Kerberos authentication ticket (TGT) was requested.
  • 4771(F) : Kerberos pre-authentication failed.
Event ID4768, 4771

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
Processid<processid>N/A
ChannelN/AN/A
Computer<dname><dname>
EventData<vendorinfo>, <subject>N/A
TargetUserNameN/A<login>
TargetDomainNameN/A<domainorigin>
SubjectUserNameN/AN/A
SubjectDomainNameN/AN/A
SubjectLogonIdN/AN/A
ReasonCodeN/AN/A
ReasonTextN/AN/A
ErrorCodeN/AN/A
serviceName<group><process>
TicketOptions<policy>N/A
statusN/A<responsecode>, <tag2>
TicketEncryptionType<version>N/A
IpAddress / Client Address<sip><sip>
Ip Port / Client Port<sport><sport>
statusN/AN/A
FailureCode<objectname>, <tag3>N/A
Pre-Authentication Type<object>N/A
AccountName<login>, <tag2>N/A
AccountDomain<domain>N/A
Result Code<objectname>, <tag3>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1000311EVID 4768, 4770, 4771 : Kerberos EventsBase RuleAuthentication ActivityAuthentication Success
General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Password Has ExpiredSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
Bad PasswordSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
EVID 4769 : Serv Principal Valid User-To-User OnlySub RuleDomain Trust InformationInformation
Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
Invalid Message TypeSub RuleInvalid Message TypeError
Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
Message Out Of OrderSub RuleMessage Out Of OrderError
Incorrect Message DirectionSub RuleIncorrect Message DirectionError
Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
Generic ErrorSub RuleGeneric ErrorError
Field Is Too Long For This ImplementationSub RuleField Is Too LongError
EVID 4768 : Kerberos Auth Ticket (TGT) RequestedSub RuleUser LogonAuthentication Success
EVID 4768 : Auth Ticket Granted, User AcctSub RuleUser LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, User AccountSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 674 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Requested Start Time Is Later Than End TimeSub RuleUser Logon FailureAuthentication Failure
KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
KDC Cannot Accommodate Request OptionSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Encryption TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
Clients Credentials For Server Have Been RevokedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Kerberos Auth Ticket (TGT) FailureSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket Renew Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4771 : Kerberos Pre-Authentication FailedSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Clients Credentials For Server RevokedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Kerberos Auth Ticket (TGT) RequestedSub RuleComputer LogonAuthentication Success
EVID 4768 : Kerberos Auth Ticket (TGT) RequestedSub RuleComputer LogonAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4771 : Kerberos Pre-Authentication Failed SysSub RuleComputer Logon FailureAuthentication Failure
EVID 4768 : Kerberos Auth Ticket (TGT) FailureSub RuleComputer Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
EVID 4770 : Ticket Renew Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
Account LockedSub RuleUser Logon Failure : Account Locked OutAuthentication Failure
Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance

LogRhythm Default v2.0


Regex IDRule NameRule TypeCommon EventClassification
1011089V 2.0 : EVID 4768-4771 : Kerberos TGT Failure MsgBase RuleGeneral Authentication EventOther Audit
V 2.0 : EVID 4768 : Computer Logon SuccessSub RuleComputer LogonAuthentication Success
V 2.0 : EVID 4768 : User Logon SuccessSub RuleUser LogonAuthentication Success
V 2.0 : EVID 4768 : Computer Logon Failure -Bad UsSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure-UnsprtSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure InvaldSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Flr  CredentialSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure PswrdSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure Bad PasSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ExpirSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - TktSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure-DuplkteSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Bad UserSub RuleUser Logon Failure : Bad UsernameAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Clock OutSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - UnsupportSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Invalid CeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - CredentiaSub RuleUser Logon Failure : Account DisabledAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Password ESub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Bad PswrdSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure Expired TktSub RuleUser Logon FailureAuthentication Failure
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.