Event Details
|
Event Type |
Audit Kerberos Authentication Service |
|---|---|
|
Event Description |
|
|
Event IDs |
4768, 4771 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|
|---|---|---|---|
|
Provider |
N/A |
N/A |
|
|
EventID |
<vmid> |
<vmid> |
|
|
Version |
N/A |
N/A |
|
|
Level |
<severity> |
<severity> |
|
|
Task |
N/A |
<vendorinfo> |
|
|
Opcode |
N/A |
N/A |
|
|
Keywords |
<tag1> |
<result>, <tag3> |
|
|
TimeCreated |
N/A |
N/A |
|
|
EventRecordID |
N/A |
N/A |
|
|
Correlation |
N/A |
N/A |
|
|
Execution |
N/A |
N/A |
|
|
Channel |
N/A |
N/A |
|
|
Computer |
<dname> |
<dname> |
|
|
TargetUserName |
<login> |
<login>, <tag1> |
|
|
TargetDomainName |
<domainorigin> |
<domainorigin> |
|
|
TargetSid |
N/A |
N/A |
|
|
ServiceName |
<process> |
<process> |
|
|
ServiceSid |
N/A |
N/A |
|
|
TicketOptions |
<object> |
<command> |
|
|
Status |
<status>, <tag3> |
<responsecode>, <tag2> |
|
|
TicketEncryptionType |
<sessiontype> |
<policy> |
|
|
PreAuthType |
N/A |
<sessiontype> |
|
|
IpAddress |
<sip> |
<sip> |
|
|
IpPort |
<sport> |
<sport> |
|
|
CerIssuerName |
N/A |
<subject> |
|
|
CertSerialNumber |
N/A |
N/A |
|
|
CertThumbprint |
N/A |
N/A |
|
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1007812 |
EVID 4768 - 4771 : Kerberos Events |
Base Rule |
Authentication Activity |
Authentication Success |
|
EVID 4770 : Ticket Renewed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
Client Database Entry Has Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Server Database Entry Has Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Unsupported Protocol |
Sub Rule |
Reconnaissance Activity |
Reconnaissance |
|
|
Client Key Encrypted In Old Master Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Server Key Encrypted In Old Master Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Client Not Found In Kerberos Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Server Not Found In Kerberos Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Multiple Principal Entries In Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Client Or Server Has Null Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Ticket Not Eligible For Postdating |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
Requested Start Time Is Later Than End Time |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Policy Rejects Request |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Cannot Accomodate Request Option |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Has No Support For Encryption Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Has No Support For Checksum Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Has No Support For Padata Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
KDC Has No Support For Transited Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Clients Credentials For Server Have Been Revoked |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Credentials For Server Have Been Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
TGT Has Been Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
Client Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Server Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Password Has Expired |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
Pre-auth Information Was Invalid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Additional Pre-authentication Required |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Integrity Check On Decrypted Field Failed |
Sub Rule |
Integrity Check On Decrypted Field Failed |
Warning |
|
|
Ticket Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Ticket Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Request Is A Replay |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
The Ticket Is Not For Us |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Ticket And Authenticator Do Not Match |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Clock Skew Too Great |
Sub Rule |
Clock Skew Too Great |
Warning |
|
|
Incorrect Net Address |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Protocol Version Mismatch |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Invalid Message Type |
Sub Rule |
Invalid Message Type |
Error |
|
|
Message Stream Modified |
Sub Rule |
Message Stream Modified |
Information |
|
|
Message Out Of Order |
Sub Rule |
Message Out Of Order |
Error |
|
|
Specified Version Of Key Is Not Available |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Service Key Not Available |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Mutual Authentication Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Incorrect Message Direction |
Sub Rule |
Incorrect Message Direction |
Error |
|
|
Alternative Authentication Method Required |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Incorrect Sequence Number In Message |
Sub Rule |
Incorrect Sequence Number |
Error |
|
|
Inappropriate Type Of Checksum In Message |
Sub Rule |
Inappropriate Type Of Checksum |
Error |
|
|
Generic Error |
Sub Rule |
Generic Error |
Error |
|
|
Field Is Too Long For This Implementation |
Sub Rule |
Field Is Too Long |
Error |
|
|
EVID 4768 : Clients Credentials For Server Revoked |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4768 : Client Not Found In Kerberos Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4768 : Auth Ticket Denied, Usr Acct |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Svc Ticket Denied, Usr Acct |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4770 : Ticket Renew Denied, Usr Acct |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Serv Principal Valid User-To-User Only |
Sub Rule |
Domain Trust Information |
Information |
|
|
EVID 4768 : Auth Ticket Granted, Sys Acct |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, Sys Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4770 : Ticket Renewed, User Account |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, Usr Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4768 : Auth Ticket Granted, Usr Acct |
Sub Rule |
User Logon |
Authentication Success |
|
|
General Kerberos Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011089 |
V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg |
Base Rule |
General Authentication Event |
Other Audit |
|
V 2.0 : EVID 4768 : Computer Logon Success |
Sub Rule |
Computer Logon |
Authentication Success |
|
|
V 2.0 : EVID 4768 : User Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure -Bad Us |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure - Clock |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure-Unsprt |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure Invald |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Flr Credential |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure Pswrd |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure Bad Pas |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure - Expir |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure - Tkt |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure-Duplkte |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Computer Logon Failure - Clock |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure- Bad User |
Sub Rule |
User Logon Failure : Bad Username |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure - Clock Out |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure - Unsupport |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure- Invalid Ce |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure - Credentia |
Sub Rule |
User Logon Failure : Account Disabled |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure- Password E |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure- Bad Pswrd |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure Expired Tkt |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure Ticket Not |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure Duplicated |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : User Logon Failure - Clock Out |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : Computer Logon Failure - Invld |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : Computer Logon Failure- Paswrd |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : Computer Logon Fail Bad Pswrd |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : User Logon Failure Invalid Cer |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : User Logon Fail Password Exprd |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : User Logon Failure Bad Pswrd |
Sub Rule |
User Logon Failure : Bad Password |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Client Database Entry Has Expr |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : KDC Has No Suprt For Transited |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Client Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : KDC Has No Suprt For Transited |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Additional Pre-auth Required |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Server Database Entry Has Expr |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : The Tkt Is Not Fr User |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Ticket & Authenticator Do Not |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Incorrect Net Address |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Protocol Version Mismatch |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Specified Ver Of Key Is Not Av |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Service Key Not Available |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Mutual Authentication Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Alternative Auth Method |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Client Key Encypted In Old Mst |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Server Key Encrypted In Old Ms |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Client Nt Found In Kerberos DB |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Server Nt Found In Kerberos DB |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Multiple Principal Entrs In Db |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Client Or Server Has Null Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : KDC Policy Rejects Request |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : KDC Cannot Accomodate Req Optn |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : KDC Has No Support For Checksm |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4768 : Cred For Server Have Been Rvkd |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
V 2.0 : EVID 4768 : TGT Has Been Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
V 2.0 : EVID 4768 : Integrity Chk On Decrypt Field |
Sub Rule |
Integrity Check On Decrypted Field Failed |
Warning |
|
|
V 2.0 : EVID 4768 : Invalid Message Type |
Sub Rule |
Invalid Message Type |
Error |
|
|
V 2.0 : EVID 4768 : Message Stream Modified |
Sub Rule |
Message Stream Modified |
Information |
|
|
V 2.0 : EVID 4768 : Message Out Of Order |
Sub Rule |
Message Out Of Order |
Error |
|
|
V 2.0 : EVID 4768 : Incorrect Message Direction |
Sub Rule |
Incorrect Message Direction |
Error |
|
|
V 2.0 : EVID 4768 : Unsupported Protocol |
Sub Rule |
Reconnaissance Activity |
Reconnaissance |
|
|
V 2.0 : EVID 4768 : Incorrect Seq No In Message |
Sub Rule |
Incorrect Sequence Number |
Error |
|
|
V 2.0 : EVID 4768 : Inapt Typ Of Chcksum In Msg |
Sub Rule |
Inappropriate Type Of Checksum |
Error |
|
|
V 2.0 : EVID 4768 : Generic Error |
Sub Rule |
Generic Error |
Error |
|
|
V 2.0 : EVID 4768 : Field Is Too Long For This Imp |
Sub Rule |
Field Is Too Long |
Error |
|
|
V 2.0 : EVID 4768 : Ticket Not Eligible For Postda |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
V 2.0 : EVID 4771 : Computer Logon Failure - Credentials Revoked |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
V 2.0 : EVID 4771 : User Logon Failure - Credentials Revoked |
Sub Rule |
User Logon Failure : Account Disabled |
Authentication Failure |