Skip to main content
Skip table of contents

EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)

Event Details

Event Type

Audit Kerberos Authentication Service

Event Description

  • 4768(S, F) : A Kerberos authentication ticket (TGT) was requested.

  • 4771(F) : Kerberos pre-authentication failed.

Event IDs

4768, 4771

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

Provider

N/A

N/A

EventID

<vmid>

<vmid>

Version

N/A

N/A

Level

<severity>

<severity>

Task

N/A

<vendorinfo>

Opcode

N/A

N/A

Keywords

<tag1>

<result>, <tag3>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

N/A

N/A

Channel

N/A

N/A

Computer

<dname>

<dname>

TargetUserName

<login>

<login>, <tag1>

TargetDomainName

<domainorigin>

<domainorigin>

TargetSid

N/A

N/A

ServiceName

<process>

<process>

ServiceSid

N/A

N/A

TicketOptions

<object>

<command>

Status

<status>, <tag3>

<responsecode>, <tag2>

TicketEncryptionType

<sessiontype>

<policy>

PreAuthType

N/A

<sessiontype>

IpAddress

<sip>

<sip>

IpPort

<sport>

<sport>

CerIssuerName

N/A

<subject>

CertSerialNumber

N/A

N/A

CertThumbprint

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1007812

EVID 4768 - 4771 : Kerberos Events

Base Rule

Authentication Activity

Authentication Success

EVID 4770 : Ticket Renewed

Sub Rule

Authentication Activity

Authentication Success

Client Database Entry Has Expired

Sub Rule

User Logon Failure

Authentication Failure

Server Database Entry Has Expired

Sub Rule

User Logon Failure

Authentication Failure

Unsupported Protocol

Sub Rule

Reconnaissance Activity

Reconnaissance

Client Key Encrypted In Old Master Key

Sub Rule

User Logon Failure

Authentication Failure

Server Key Encrypted In Old Master Key

Sub Rule

User Logon Failure

Authentication Failure

Client Not Found In Kerberos Database

Sub Rule

User Logon Failure

Authentication Failure

Server Not Found In Kerberos Database

Sub Rule

User Logon Failure

Authentication Failure

Multiple Principal Entries In Database

Sub Rule

User Logon Failure

Authentication Failure

Client Or Server Has Null Key

Sub Rule

User Logon Failure

Authentication Failure

Ticket Not Eligible For Postdating

Sub Rule

Modify Object Attribute Failure

Access Failure

Requested Start Time Is Later Than End Time

Sub Rule

User Logon Failure

Authentication Failure

KDC Policy Rejects Request

Sub Rule

User Logon Failure

Authentication Failure

KDC Cannot Accomodate Request Option

Sub Rule

User Logon Failure

Authentication Failure

KDC Has No Support For Encryption Type

Sub Rule

User Logon Failure

Authentication Failure

KDC Has No Support For Checksum Type

Sub Rule

User Logon Failure

Authentication Failure

KDC Has No Support For Padata Type

Sub Rule

User Logon Failure

Authentication Failure

KDC Has No Support For Transited Type

Sub Rule

User Logon Failure

Authentication Failure

Clients Credentials For Server Have Been Revoked

Sub Rule

User Logon Failure

Authentication Failure

Credentials For Server Have Been Revoked

Sub Rule

Access Revoked Activity

Access Revoked

TGT Has Been Revoked

Sub Rule

Access Revoked Activity

Access Revoked

Client Not Yet Valid

Sub Rule

User Logon Failure

Authentication Failure

Server Not Yet Valid

Sub Rule

User Logon Failure

Authentication Failure

Password Has Expired

Sub Rule

User Logon Failure : Bad Password

Authentication Failure

Pre-auth Information Was Invalid

Sub Rule

User Logon Failure

Authentication Failure

Additional Pre-authentication Required

Sub Rule

User Logon Failure

Authentication Failure

Integrity Check On Decrypted Field Failed

Sub Rule

Integrity Check On Decrypted Field Failed

Warning

Ticket Expired

Sub Rule

User Logon Failure

Authentication Failure

Ticket Not Yet Valid

Sub Rule

User Logon Failure

Authentication Failure

Request Is A Replay

Sub Rule

User Logon Failure

Authentication Failure

The Ticket Is Not For Us

Sub Rule

User Logon Failure

Authentication Failure

Ticket And Authenticator Do Not Match

Sub Rule

User Logon Failure

Authentication Failure

Clock Skew Too Great

Sub Rule

Clock Skew Too Great

Warning

Incorrect Net Address

Sub Rule

User Logon Failure

Authentication Failure

Protocol Version Mismatch

Sub Rule

User Logon Failure

Authentication Failure

Invalid Message Type

Sub Rule

Invalid Message Type

Error

Message Stream Modified

Sub Rule

Message Stream Modified

Information

Message Out Of Order

Sub Rule

Message Out Of Order

Error

Specified Version Of Key Is Not Available

Sub Rule

User Logon Failure

Authentication Failure

Service Key Not Available

Sub Rule

User Logon Failure

Authentication Failure

Mutual Authentication Failed

Sub Rule

User Logon Failure

Authentication Failure

Incorrect Message Direction

Sub Rule

Incorrect Message Direction

Error

Alternative Authentication Method Required

Sub Rule

User Logon Failure

Authentication Failure

Incorrect Sequence Number In Message

Sub Rule

Incorrect Sequence Number

Error

Inappropriate Type Of Checksum In Message

Sub Rule

Inappropriate Type Of Checksum

Error

Generic Error

Sub Rule

Generic Error

Error

Field Is Too Long For This Implementation

Sub Rule

Field Is Too Long

Error

EVID 4768 : Clients Credentials For Server Revoked

Sub Rule

User Logon Failure

Authentication Failure

EVID 4768 : Client Not Found In Kerberos Database

Sub Rule

User Logon Failure

Authentication Failure

EVID 4768 : Auth Ticket Denied, Usr Acct

Sub Rule

User Logon Failure

Authentication Failure

EVID 4769 : Svc Ticket Denied, Usr Acct

Sub Rule

User Logon Failure

Authentication Failure

EVID 4770 : Ticket Renew Denied, Usr Acct

Sub Rule

User Logon Failure

Authentication Failure

EVID 4769 : Serv Principal Valid User-To-User Only

Sub Rule

Domain Trust Information

Information

EVID 4768 : Auth Ticket Granted, Sys Acct

Sub Rule

Computer Logon

Authentication Success

EVID 4769 : Svc Ticket Granted, Sys Acct

Sub Rule

Authentication Activity

Authentication Success

EVID 4770 : Ticket Renewed, User Account

Sub Rule

Authentication Activity

Authentication Success

EVID 4769 : Svc Ticket Granted, Usr Acct

Sub Rule

Authentication Activity

Authentication Success

EVID 4768 : Auth Ticket Granted, Usr Acct

Sub Rule

User Logon

Authentication Success

General Kerberos Failure

Sub Rule

Authentication Failure Activity

Authentication Failure

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1011089

V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg

Base Rule

General Authentication Event

Other Audit

V 2.0 : EVID 4768 : Computer Logon Success

Sub Rule

Computer Logon

Authentication Success

V 2.0 : EVID 4768 : User Logon Success

Sub Rule

User Logon

Authentication Success

V 2.0 : EVID 4768 : Computer Logon Failure -Bad Us

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure - Clock

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure-Unsprt

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure Invald

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Flr  Credential

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure Pswrd

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure Bad Pas

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure - Expir

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure - Tkt

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure-Duplkte

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Computer Logon Failure - Clock

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure- Bad User

Sub Rule

User Logon Failure : Bad Username

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure - Clock Out

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure - Unsupport

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure- Invalid Ce

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure - Credentia

Sub Rule

User Logon Failure : Account Disabled

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure- Password E

Sub Rule

User Logon Failure : Bad Password

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure- Bad Pswrd

Sub Rule

User Logon Failure : Bad Password

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure Expired Tkt

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure Ticket Not

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure Duplicated

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : User Logon Failure - Clock Out

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : Computer Logon Failure - Invld

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : Computer Logon Failure- Paswrd

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : Computer Logon Fail Bad Pswrd

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : User Logon Failure Invalid Cer

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : User Logon Fail Password Exprd

Sub Rule

User Logon Failure : Bad Password

Authentication Failure

V 2.0 : EVID 4771 : User Logon Failure Bad Pswrd

Sub Rule

User Logon Failure : Bad Password

Authentication Failure

V 2.0 : EVID 4768 : Client Database Entry Has Expr

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : KDC Has No Suprt For Transited

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Client Not Yet Valid

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : KDC Has No Suprt For Transited

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Additional Pre-auth Required

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Server Database Entry Has Expr

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : The Tkt Is Not Fr User

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Ticket & Authenticator Do Not

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Incorrect Net Address

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Protocol Version Mismatch

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Specified Ver Of Key Is Not Av

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Service Key Not Available

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Mutual Authentication Failed

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Alternative Auth Method

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Client Key Encypted In Old Mst

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Server Key Encrypted In Old Ms

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Client Nt Found In Kerberos DB

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Server Nt Found In Kerberos DB

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Multiple Principal Entrs In Db

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Client Or Server Has Null Key

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : KDC Policy Rejects Request

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : KDC Cannot Accomodate Req Optn

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : KDC Has No Support For Checksm

Sub Rule

User Logon Failure

Authentication Failure

V 2.0 : EVID 4768 : Cred For Server Have Been Rvkd

Sub Rule

Access Revoked Activity

Access Revoked

V 2.0 : EVID 4768 : TGT Has Been Revoked

Sub Rule

Access Revoked Activity

Access Revoked

V 2.0 : EVID 4768 : Integrity Chk On Decrypt Field

Sub Rule

Integrity Check On Decrypted Field Failed

Warning

V 2.0 : EVID 4768 : Invalid Message Type

Sub Rule

Invalid Message Type

Error

V 2.0 : EVID 4768 : Message Stream Modified

Sub Rule

Message Stream Modified

Information

V 2.0 : EVID 4768 : Message Out Of Order

Sub Rule

Message Out Of Order

Error

V 2.0 : EVID 4768 : Incorrect Message Direction

Sub Rule

Incorrect Message Direction

Error

V 2.0 : EVID 4768 : Unsupported Protocol

Sub Rule

Reconnaissance Activity

Reconnaissance

V 2.0 : EVID 4768 : Incorrect Seq No In Message

Sub Rule

Incorrect Sequence Number

Error

V 2.0 : EVID 4768 : Inapt Typ Of Chcksum In Msg

Sub Rule

Inappropriate Type Of Checksum

Error

V 2.0 : EVID 4768 : Generic Error

Sub Rule

Generic Error

Error

V 2.0 : EVID 4768 : Field Is Too Long For This Imp

Sub Rule

Field Is Too Long

Error

V 2.0 : EVID 4768 : Ticket Not Eligible For Postda

Sub Rule

Modify Object Attribute Failure

Access Failure

V 2.0 : EVID 4771 : Computer Logon Failure - Credentials Revoked

Sub Rule

Computer Logon Failure

Authentication Failure

V 2.0 : EVID 4771 : User Logon Failure - Credentials Revoked

Sub Rule

User Logon Failure : Account Disabled

Authentication Failure

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close