EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)
Event Details
Event Type | Audit Kerberos Authentication Service |
---|---|
Event Description |
|
Event IDs | 4768, 4771 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
---|---|---|---|
Provider | N/A | N/A | |
EventID | <vmid> | <vmid> | |
Version | N/A | N/A | |
Level | <severity> | <severity> | |
Task | N/A | <vendorinfo> | |
Opcode | N/A | N/A | |
Keywords | <tag1> | <result> | |
TimeCreated | N/A | N/A | |
EventRecordID | N/A | N/A | |
Correlation | N/A | N/A | |
Execution | N/A | N/A | |
Channel | N/A | N/A | |
Computer | <dname> | <dname> | |
TargetUserName | <login> | <login>, <tag1> | |
TargetDomainName | <domainorigin> | <domainorigin> | |
TargetSid | N/A | N/A | |
ServiceName | <process> | <process> | |
ServiceSid | N/A | N/A | |
TicketOptions | <object> | N/A | |
Status | <status>, <tag3> | <responsecode>, <tag2> | |
TicketEncryptionType | <sessiontype> | <policy> | |
PreAuthType | N/A | <sessiontype> | |
IpAddress | <sip> | <sip> | |
IpPort | <sport> | <sport> | |
CerIssuerName | N/A | <subject> | |
CertSerialNumber | N/A | N/A | |
CertThumbprint | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1007812 | EVID 4768 - 4771 : Kerberos Events | Base Rule | Authentication Activity | Authentication Success |
General Kerberos Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
EVID 4768 : Auth Ticket Granted, User Acct | Sub Rule | User Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, User Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4770 : Ticket Renewed, User Account | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4770 : Ticket Renewed, System Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4768 : Auth Ticket Granted, Sys Acct | Sub Rule | Computer Logon | Authentication Success | |
EVID 674 : Ticket Renewed, System Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Sys Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4768 : Auth Ticket Granted, Sys Acct | Sub Rule | Computer Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Sys Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4769 : Serv Principal Valid User-To-User Only | Sub Rule | Domain Trust Information | Information | |
EVID 4770 : Ticket Renew Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4770 : Ticket Renew Denied, Sys Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Svc Ticket Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Svc Ticket Denied, Sys Acct | Sub Rule | Computer Logon Failure | Authentication Failure | |
EVID 4768 : Auth Ticket Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Auth Ticket Denied, Sys Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Clients Credentials For Server Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Kerberos Auth Ticket (TGT) Requested | Sub Rule | Computer Logon | Authentication Success | |
Field Is Too Long For This Implementation | Sub Rule | Field Is Too Long | Error | |
Generic Error | Sub Rule | Generic Error | Error | |
Inappropriate Type Of Checksum In Message | Sub Rule | Inappropriate Type Of Checksum | Error | |
Incorrect Sequence Number In Message | Sub Rule | Incorrect Sequence Number | Error | |
Alternative Authentication Method Required | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure | |
Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Specified Version Of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
Clock Skew Too Great | Sub Rule | Clock Skew Too Great | Warning | |
Ticket And Authenticator Do Not Match | Sub Rule | User Logon Failure | Authentication Failure | |
The Ticket Is Not For Us | Sub Rule | User Logon Failure | Authentication Failure | |
Request Is A Replay | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Integrity Check On Decrypted Field Failed | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
Additional Pre-authentication Required | Sub Rule | User Logon Failure | Authentication Failure | |
Pre-auth Information Was Invalid | Sub Rule | User Logon Failure | Authentication Failure | |
Password Has Expired | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
Server Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
Credentials For Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
Clients Credentials For Server Have Been Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Transited Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Padata Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Checksum Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Encryption Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Cannot Accommodate Request Option | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure | |
Requested Start Time Is Later Than End Time | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Eligible For Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure | |
Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
Multiple Principal Entries In Database | Sub Rule | User Logon Failure | Authentication Failure | |
Server Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Server Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Client Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance | |
Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4770 : Ticket Renewed | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4771 : Kerberos pre-auth failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1011089 | V 2.0 : EVID 4768 - 4771 : Kerberos TGT Failure Message | Base Rule | General Authentication Event | Other Audit |
V 2.0 : EVID 4768 : Computer Logon Success | Sub Rule | Computer Logon | Authentication Success | |
V 2.0 : EVID 4768 : User Logon Success | Sub Rule | User Logon | Authentication Success | |
V 2.0 : EVID 4768 : Computer Logon Failure - Bad User | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Unsupport | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Invalid | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Credential | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Password | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Bad Pass | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Expired | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Ticket | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Duplicate | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Bad Username | Sub Rule | User Logon Failure : Bad Username | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Unsupported | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Invalid Cert | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Credentials | Sub Rule | User Logon Failure : Account Disabled | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Password Exp | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Bad Password | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 :User Logon Failure Expired Ticket | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Ticket Not | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Duplicated | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Failure - Invalid | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Failure - Password | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Fai Bad Password | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Failure - Invalid Cert | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Fail Password Expire | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Failure Bad Password | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 : Client Database Entry Has Expire | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Support For Transited Typ | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Support For Transited Typ | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Additional Pre-auth Required | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Database Entry Has Expire | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : The Ticket Is Not For Us | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Ticket And Authenticator Do Not | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Specified Ver Of Key Is Not Avl | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Alternative Auth Method | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Key Encrypted In Old Mstr | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Key Encrypted In Old Mstr | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Not Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Not Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Multiple Principal Entries In DB | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Cannot Accommodate Req Option | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Support For Checksum | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Cred For Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : EVID 4768 : TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : EVID 4768 : Integrity Check On Decrypt Field Fail | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
V 2.0 : EVID 4768 : Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
V 2.0 : EVID 4768 : Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
V 2.0 : EVID 4768 : Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
V 2.0 : EVID 4768 : Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
V 2.0 : EVID 4768 : Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance | |
V 2.0 : EVID 4768 : Incorrect Seq No In Message | Sub Rule | Incorrect Sequence Number | Error | |
V 2.0 : EVID 4768 : Inapt Type Of Checksum In Message | Sub Rule | Inappropriate Type Of Checksum | Error | |
V 2.0 : EVID 4768 : Generic Error | Sub Rule | Generic Error | Error | |
V 2.0 : EVID 4768 : Field Is Too Long For This Implm | Sub Rule | Field Is Too Long | Error | |
V 2.0 : EVID 4768 : Ticket Not Eligible For Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure |