EVID 4769, 4770 : Kerberos Events (Part 2) (XML - Security)

Event Details

Event Type	Audit Kerberos Service Ticket Operations
Event Description	4769(S, F): A Kerberos service ticket was requested. 4770(S): A Kerberos service ticket was renewed.
Event IDs	4769, 4770

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	<severity>	<severity>
Task	N/A	<vendorinfo>
Opcode	N/A	N/A
Keywords	<tag1>	<result>, <tag3>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	<dname>
TargetUserName	<login>	<login>
TargetDomainName	<domainorigin>	<domainorigin>
ServiceName	<process>	<account>, <process>
ServiceSid	N/A	N/A
TicketOptions	<object>	<command>
TicketEncryptionType	<sessiontype>	<policy>
IpAddress	<sip>	<sip>
IpPort	<sport>	<sport>
Status	<status>, <tag3>	<responsecode>, <tag1>
LogonGuid	N/A	N/A
TransmittedServices	N/A	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1007812	EVID 4768 - 4771: Kerberos Events	Base Rule	Authentication Activity	Authentication Success
	General Kerberos Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
	EVID 4768: Auth Ticket Granted, User Acct	Sub Rule	User Logon	Authentication Success
	EVID 4769: Svc Ticket Granted, User Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4770: Ticket Renewed, User Account	Sub Rule	Authentication Activity	Authentication Success
	EVID 4770: Ticket Renewed, System Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4768: Auth Ticket Granted, Sys Acct	Sub Rule	Computer Logon	Authentication Success
	EVID 674: Ticket Renewed, System Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769: Svc Ticket Granted, Sys Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4768: Auth Ticket Granted, Sys Acct	Sub Rule	Computer Logon	Authentication Success
	EVID 4769: Svc Ticket Granted, Sys Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769: Serv Principal Valid User-To-User Only	Sub Rule	Domain Trust Information	Information
	EVID 4770: Ticket Renew Denied, User Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4770: Ticket Renew Denied, Sys Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4769: Svc Ticket Denied, User Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4769: Svc Ticket Denied, Sys Acct	Sub Rule	Computer Logon Failure	Authentication Failure
	EVID 4768: Auth Ticket Denied, User Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4768: Auth Ticket Denied, Sys Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4768: Client Not Found In Kerberos Database	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4768: Clients Credentials For Server Revoked	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4768: Kerberos Auth Ticket (TGT) Requested	Sub Rule	Computer Logon	Authentication Success
	Field Is Too Long For This Implementation	Sub Rule	Field Is Too Long	Error
	Generic Error	Sub Rule	Generic Error	Error
	Inappropriate Type Of Checksum In Message	Sub Rule	Inappropriate Type Of Checksum	Error
	Incorrect Sequence Number In Message	Sub Rule	Incorrect Sequence Number	Error
	Alternative Authentication Method Required	Sub Rule	User Logon Failure	Authentication Failure
	Incorrect Message Direction	Sub Rule	Incorrect Message Direction	Error
	Mutual Authentication Failed	Sub Rule	User Logon Failure	Authentication Failure
	Service Key Not Available	Sub Rule	User Logon Failure	Authentication Failure
	Specified Version Of Key Is Not Available	Sub Rule	User Logon Failure	Authentication Failure
	Message Out Of Order	Sub Rule	Message Out Of Order	Error
	Message Stream Modified	Sub Rule	Message Stream Modified	Information
	Invalid Message Type	Sub Rule	Invalid Message Type	Error
	Protocol Version Mismatch	Sub Rule	User Logon Failure	Authentication Failure
	Incorrect Net Address	Sub Rule	User Logon Failure	Authentication Failure
	Clock Skew Too Great	Sub Rule	Clock Skew Too Great	Warning
	Ticket And Authenticator Do Not Match	Sub Rule	User Logon Failure	Authentication Failure
	The Ticket Is Not For Us	Sub Rule	User Logon Failure	Authentication Failure
	Request Is A Replay	Sub Rule	User Logon Failure	Authentication Failure
	Ticket Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	Ticket Expired	Sub Rule	User Logon Failure	Authentication Failure
	Integrity Check On Decrypted Field Failed	Sub Rule	Integrity Check On Decrypted Field Failed	Warning
	Additional Pre-authentication Required	Sub Rule	User Logon Failure	Authentication Failure
	Pre-auth Information Was Invalid	Sub Rule	User Logon Failure	Authentication Failure
	Password Has Expired	Sub Rule	User Logon Failure: Bad Password	Authentication Failure
	Server Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	Client Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	TGT Has Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	Credentials For Server Have Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	Clients Credentials For Server Have Been Revoked	Sub Rule	User Logon Failure	Authentication Failure
	KDC Has No Support For Transited Type	Sub Rule	User Logon Failure	Authentication Failure
	KDC Has No Support For Padata Type	Sub Rule	User Logon Failure	Authentication Failure
	KDC Has No Support For Checksum Type	Sub Rule	User Logon Failure	Authentication Failure
	KDC Has No Support For Encryption Type	Sub Rule	User Logon Failure	Authentication Failure
	KDC Cannot Accommodate Request Option	Sub Rule	User Logon Failure	Authentication Failure
	KDC Policy Rejects Request	Sub Rule	User Logon Failure	Authentication Failure
	Requested Start Time Is Later Than End Time	Sub Rule	User Logon Failure	Authentication Failure
	Ticket Not Eligible For Postdating	Sub Rule	Modify Object Attribute Failure	Access Failure
	Client Or Server Has Null Key	Sub Rule	User Logon Failure	Authentication Failure
	Multiple Principal Entries In Database	Sub Rule	User Logon Failure	Authentication Failure
	Server Not Found In Kerberos Database	Sub Rule	User Logon Failure	Authentication Failure
	Client Not Found In Kerberos Database	Sub Rule	User Logon Failure	Authentication Failure
	Server Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
	Client Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
Unsupported Protocol	Sub Rule	Reconnaissance Activity	Reconnaissance
Server Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
Client Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
EVID 4770: Ticket Renewed	Sub Rule	Authentication Activity	Authentication Success
EVID 4771: Kerberos pre-auth failed	Sub Rule	Authentication Failure Activity	Authentication Failure

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011091	V 2.0: EVID 4769 - 4770: Kerberos TGS Messages	Base Rule	General Audit Message	Other Audit
	V 2.0: EVID 4769: TGS Ticket Issued	Sub Rule	Object Accessed	Access Success
	V 2.0: EVID 4769: TGS Request Denied Invalid User	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4769: TGS Request Denied Invalid Cert	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4769: TGS Request Denied - Credentials	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4769: TGS Request Denied Password Exp	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4769: TGS Request Denied - Bad Expired	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4769: TGS Request Denied KDC_ERR	Sub Rule	Access Object Failure	Access Failure
	V 2.0: EVID 4770: TGS Ticket Renewed	Sub Rule	Object Accessed	Access Success
	V 2.0: Credentials For Server Have Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0: TGT Has Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0: General Kerberos Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
	V 2.0: Clock Skew Too Great	Sub Rule	Clock Skew Too Great	Warning
	V 2.0: EVID 4769: Serv Principal Valid Usr2Usr	Sub Rule	Domain Trust Information	Information
	V 2.0: Field Is Too Long For This Implementation	Sub Rule	Field Is Too Long	Error
	V 2.0: Generic Error	Sub Rule	Generic Error	Error
	V 2.0: Inappropriate Type Of Checksum In Message	Sub Rule	Inappropriate Type Of Checksum	Error
	V 2.0: Incorrect Message Direction	Sub Rule	Incorrect Message Direction	Error
	V 2.0: Incorrect Sequence Number In Message	Sub Rule	Incorrect Sequence Number	Error
	V 2.0: Integrity Check On Decrypted Field Failed	Sub Rule	Integrity Check On Decrypted Field Failed	Warning
	V 2.0: Invalid Message Type	Sub Rule	Invalid Message Type	Error
	V 2.0: Message Out Of Order	Sub Rule	Message Out Of Order	Error
	V 2.0: Message Stream Modified	Sub Rule	Message Stream Modified	Information
	V 2.0: Ticket Not Eligible For Postdating	Sub Rule	Modify Object Attribute Failure	Access Failure
	V 2.0: Client Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: KDC Has No Support For Padata Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Specified Version Of Key Is Not Available	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Client Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Server Not Found In Kerberos Database	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Additional Pre-authentication Required	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Requested Start Time Is Later Than End Tim	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Ticket And Authenticator Do Not Match	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Protocol Version Mismatch	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: The Ticket Is Not For Us	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Pre-auth Information Was Invalid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Service Key Not Available	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Server Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Multiple Principal Entries In Database	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Ticket Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Alternative Authentication Method Required	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Incorrect Net Address	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Client Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Server Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Server Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Client Or Server Has Null Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Ticket Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: Request Is A Replay	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: KDC Has No Support For Transited Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: KDC Has No Support For Checksum Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0: KDC Cannot Accommodate Request Option	Sub Rule	User Logon Failure	Authentication Failure

[data-colorid=zocfi7hony]{color:#1155cc} html[data-color-mode=dark] [data-colorid=zocfi7hony]{color:#3377ee}[data-colorid=bnb6syqrdd]{color:#0563c1} html[data-color-mode=dark] [data-colorid=bnb6syqrdd]{color:#3e9cfa}Event Details

Log Fields and Parsing

Log Processing Settings

LogRhythm Default

LogRhythm Default v2.0

Event Details