Skip to main content
Skip table of contents

EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)

Event Details

Event TypeAudit Kerberos Authentication Service
Event Description
  • 4768(S, F) : A Kerberos authentication ticket (TGT) was requested.
  • 4771(F) : Kerberos pre-authentication failed.
Event IDs4768, 4771

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ChannelN/AN/A
Computer<dname><dname>
TargetUserName<login><login>, <tag1>
TargetDomainName<domainorigin><domainorigin>
TargetSidN/AN/A
ServiceName<process><process>
ServiceSidN/AN/A
TicketOptions<object>N/A
Status<status>, <tag3><responsecode>, <tag2>
TicketEncryptionType<sessiontype><policy>
PreAuthTypeN/A<sessiontype>
IpAddress<sip><sip>
IpPort<sport><sport>
CerIssuerNameN/A<subject>
CertSerialNumberN/AN/A
CertThumbprintN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1007812EVID 4768 - 4771 : Kerberos EventsBase RuleAuthentication ActivityAuthentication Success
General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4768 : Auth Ticket Granted, User AcctSub RuleUser LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, User AccountSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 674 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Serv Principal Valid User-To-User OnlySub RuleDomain Trust InformationInformation
EVID 4770 : Ticket Renew Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket Renew Denied, Sys AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, Sys AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Clients Credentials For Server RevokedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Kerberos Auth Ticket (TGT) RequestedSub RuleComputer LogonAuthentication Success
Field Is Too Long For This ImplementationSub RuleField Is Too LongError
Generic ErrorSub RuleGeneric ErrorError
Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
Incorrect Message DirectionSub RuleIncorrect Message DirectionError
Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
Message Out Of OrderSub RuleMessage Out Of OrderError
Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
Invalid Message TypeSub RuleInvalid Message TypeError
Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
Password Has ExpiredSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Clients Credentials For Server Have Been RevokedSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Encryption TypeSub RuleUser Logon FailureAuthentication Failure
KDC Cannot Accommodate Request OptionSub RuleUser Logon FailureAuthentication Failure
KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
Requested Start Time Is Later Than End TimeSub RuleUser Logon FailureAuthentication Failure
Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance
Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket RenewedSub RuleAuthentication ActivityAuthentication Success
EVID 4771 : Kerberos pre-auth failedSub RuleAuthentication Failure ActivityAuthentication Failure

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011089V 2.0 : EVID 4768 - 4771 : Kerberos TGT Failure MessageBase RuleGeneral Authentication EventOther Audit
V 2.0 : EVID 4768 : Computer Logon SuccessSub RuleComputer LogonAuthentication Success
V 2.0 : EVID 4768 : User Logon SuccessSub RuleUser LogonAuthentication Success
V 2.0 : EVID 4768 : Computer Logon Failure - Bad UserSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - UnsupportSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - InvalidSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - CredentialSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - PasswordSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - Bad PassSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ExpiredSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - TicketSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - DuplicateSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Bad UsernameSub RuleUser Logon Failure : Bad UsernameAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Clock OutSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - UnsupportedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Invalid CertSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - CredentialsSub RuleUser Logon Failure : Account DisabledAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Password ExpSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Bad PasswordSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 :User Logon Failure Expired TicketSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Ticket NotSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - DuplicatedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Clock OutSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Failure - InvalidSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Failure - PasswordSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Fai Bad PasswordSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : User Logon Failure - Invalid CertSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : User Logon Fail Password ExpireSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4771 : User Logon Failure Bad PasswordSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : Client Database Entry Has ExpireSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Support For Transited TypSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Support For Transited TypSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Additional Pre-auth RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Database Entry Has ExpireSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Ticket And Authenticator Do NotSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Specified Ver Of Key Is Not AvlSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Alternative Auth MethodSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Key Encrypted In Old MstrSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Key Encrypted In Old MstrSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Not Found In Kerberos DBSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Not Found In Kerberos DBSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Multiple Principal Entries In DBSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Cannot Accommodate Req OptionSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Support For ChecksumSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Cred For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : EVID 4768 : TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : EVID 4768 : Integrity Check On Decrypt Field FailSub RuleIntegrity Check On Decrypted Field FailedWarning
V 2.0 : EVID 4768 : Invalid Message TypeSub RuleInvalid Message TypeError
V 2.0 : EVID 4768 : Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
V 2.0 : EVID 4768 : Message Out Of OrderSub RuleMessage Out Of OrderError
V 2.0 : EVID 4768 : Incorrect Message DirectionSub RuleIncorrect Message DirectionError
V 2.0 : EVID 4768 : Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance
V 2.0 : EVID 4768 : Incorrect Seq No In MessageSub RuleIncorrect Sequence NumberError
V 2.0 : EVID 4768 : Inapt Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
V 2.0 : EVID 4768 : Generic ErrorSub RuleGeneric ErrorError
V 2.0 : EVID 4768 : Field Is Too Long For This ImplmSub RuleField Is Too LongError
V 2.0 : EVID 4768 : Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close