EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)
Event Details
Event Type | Audit Kerberos Authentication Service |
---|---|
Event Description |
|
Event IDs | 4768, 4771 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
---|---|---|---|
Provider | N/A | N/A | |
EventID | <vmid> | <vmid> | |
Version | N/A | N/A | |
Level | <severity> | <severity> | |
Task | N/A | <vendorinfo> | |
Opcode | N/A | N/A | |
Keywords | <tag1> | <result>, <tag3> | |
TimeCreated | N/A | N/A | |
EventRecordID | N/A | N/A | |
Correlation | N/A | N/A | |
Execution | N/A | N/A | |
Channel | N/A | N/A | |
Computer | <dname> | <dname> | |
TargetUserName | <login> | <login>, <tag1> | |
TargetDomainName | <domainorigin> | <domainorigin> | |
TargetSid | N/A | N/A | |
ServiceName | <process> | <process> | |
ServiceSid | N/A | N/A | |
TicketOptions | <object> | <command> | |
Status | <status>, <tag3> | <responsecode>, <tag2> | |
TicketEncryptionType | <sessiontype> | <policy> | |
PreAuthType | N/A | <sessiontype> | |
IpAddress | <sip> | <sip> | |
IpPort | <sport> | <sport> | |
CerIssuerName | N/A | <subject> | |
CertSerialNumber | N/A | N/A | |
CertThumbprint | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1007812 | EVID 4768 - 4771 : Kerberos Events | Base Rule | Authentication Activity | Authentication Success |
EVID 4770 : Ticket Renewed | Sub Rule | Authentication Activity | Authentication Success | |
Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance | |
Client Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Server Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Server Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Multiple Principal Entries In Database | Sub Rule | User Logon Failure | Authentication Failure | |
Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Eligible For Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure | |
Requested Start Time Is Later Than End Time | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Cannot Accomodate Request Option | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Encryption Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Checksum Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Padata Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Transited Type | Sub Rule | User Logon Failure | Authentication Failure | |
Clients Credentials For Server Have Been Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
Credentials For Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Server Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Password Has Expired | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
Pre-auth Information Was Invalid | Sub Rule | User Logon Failure | Authentication Failure | |
Additional Pre-authentication Required | Sub Rule | User Logon Failure | Authentication Failure | |
Integrity Check On Decrypted Field Failed | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
Ticket Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Request Is A Replay | Sub Rule | User Logon Failure | Authentication Failure | |
The Ticket Is Not For Us | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket And Authenticator Do Not Match | Sub Rule | User Logon Failure | Authentication Failure | |
Clock Skew Too Great | Sub Rule | Clock Skew Too Great | Warning | |
Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
Specified Version Of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
Alternative Authentication Method Required | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Sequence Number In Message | Sub Rule | Incorrect Sequence Number | Error | |
Inappropriate Type Of Checksum In Message | Sub Rule | Inappropriate Type Of Checksum | Error | |
Generic Error | Sub Rule | Generic Error | Error | |
Field Is Too Long For This Implementation | Sub Rule | Field Is Too Long | Error | |
EVID 4768 : Clients Credentials For Server Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Auth Ticket Denied, Usr Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Svc Ticket Denied, Usr Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4770 : Ticket Renew Denied, Usr Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Serv Principal Valid User-To-User Only | Sub Rule | Domain Trust Information | Information | |
EVID 4768 : Auth Ticket Granted, Sys Acct | Sub Rule | Computer Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Sys Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4770 : Ticket Renewed, User Account | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Usr Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4768 : Auth Ticket Granted, Usr Acct | Sub Rule | User Logon | Authentication Success | |
General Kerberos Failure | Sub Rule | Authentication Failure Activity | Authentication Failure |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1011089 | V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg | Base Rule | General Authentication Event | Other Audit |
V 2.0 : EVID 4768 : Computer Logon Success | Sub Rule | Computer Logon | Authentication Success | |
V 2.0 : EVID 4768 : User Logon Success | Sub Rule | User Logon | Authentication Success | |
V 2.0 : EVID 4768 : Computer Logon Failure -Bad Us | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure-Unsprt | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure Invald | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Flr Credential | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure Pswrd | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure Bad Pas | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Expir | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Tkt | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure-Duplkte | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure- Bad User | Sub Rule | User Logon Failure : Bad Username | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Unsupport | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure- Invalid Ce | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Credentia | Sub Rule | User Logon Failure : Account Disabled | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure- Password E | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure- Bad Pswrd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure Expired Tkt | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure Ticket Not | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure Duplicated | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Failure - Invld | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Failure- Paswrd | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : Computer Logon Fail Bad Pswrd | Sub Rule | Computer Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Failure Invalid Cer | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Fail Password Exprd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4771 : User Logon Failure Bad Pswrd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
V 2.0 : EVID 4768 : Client Database Entry Has Expr | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Suprt For Transited | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Suprt For Transited | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Additional Pre-auth Required | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Database Entry Has Expr | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : The Tkt Is Not Fr User | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Ticket & Authenticator Do Not | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Specified Ver Of Key Is Not Av | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Alternative Auth Method | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Key Encypted In Old Mst | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Key Encrypted In Old Ms | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Nt Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Server Nt Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Multiple Principal Entrs In Db | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Cannot Accomodate Req Optn | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : KDC Has No Support For Checksm | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : EVID 4768 : Cred For Server Have Been Rvkd | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : EVID 4768 : TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : EVID 4768 : Integrity Chk On Decrypt Field | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
V 2.0 : EVID 4768 : Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
V 2.0 : EVID 4768 : Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
V 2.0 : EVID 4768 : Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
V 2.0 : EVID 4768 : Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
V 2.0 : EVID 4768 : Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance | |
V 2.0 : EVID 4768 : Incorrect Seq No In Message | Sub Rule | Incorrect Sequence Number | Error | |
V 2.0 : EVID 4768 : Inapt Typ Of Chcksum In Msg | Sub Rule | Inappropriate Type Of Checksum | Error | |
V 2.0 : EVID 4768 : Generic Error | Sub Rule | Generic Error | Error | |
V 2.0 : EVID 4768 : Field Is Too Long For This Imp | Sub Rule | Field Is Too Long | Error | |
V 2.0 : EVID 4768 : Ticket Not Eligible For Postda | Sub Rule | Modify Object Attribute Failure | Access Failure |