EVID 4769, 4770 : Kerberos Events (Part2) (Español - Security)
Event Details
Event Type | Audit Kerberos Service Ticket Operations |
---|---|
Event Description |
|
Event IDs | 4769, 4770 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 | |
---|---|---|---|
Provider | N/A | N/A | |
EventID | <vmid> | <vmid> | |
Version | N/A | N/A | |
Level | <severity> | <severity> | |
Task | N/A | <vendorinfo> | |
Opcode | N/A | N/A | |
Keywords | <tag1> | <result>, <tag3> | |
TimeCreated | N/A | N/A | |
EventRecordID | N/A | N/A | |
Correlation | N/A | N/A | |
Execution | <processid> | N/A | |
Channel | N/A | N/A | |
Computer | <dname> | <dname> | |
Eventdata | <tag4> | N/A | |
TargetUserName | <login>, <tag2> | <login> | |
TargetDomainName | <domain> | <domainorigin> | |
TargetSid | N/A | N/A | |
ServiceName | N/A | <dname>, <process> | |
ServiceSid | N/A | N/A | |
TicketOptions | N/A | <command> | |
TicketEncryptionType | N/A | <policy> | |
IpAddress | <sip> | <sip> | |
IpPort | <sport> | <sport> | |
Status | <object>, <tag3> | <responsecode>, <tag1> | |
LogonGuid | N/A | N/A | |
TransmittedServices | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1006513 | EVID 4768 - 4771 : Kerberos Events | Base Rule | Authentication Activity | Authentication Success |
General Kerberos Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
EVID 4768 : Auth Ticket Granted, User Acct | Sub Rule | User Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, User Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4770 : Ticket Renewed, User Account | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4770 : Ticket Renewed, System Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4768 : Auth Ticket Granted, Sys Acct | Sub Rule | Computer Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Sys Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4768 : Auth Ticket Granted, Sys Acct | Sub Rule | Computer Logon | Authentication Success | |
EVID 4769 : Svc Ticket Granted, Sys Acct | Sub Rule | Authentication Activity | Authentication Success | |
EVID 4769 : Serv Principal Valid User-To-User Only | Sub Rule | Domain Trust Information | Information | |
EVID 4770 : Ticket Renew Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4770 : Ticket Renew Denied, Sys Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Svc Ticket Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4769 : Svc Ticket Denied, Sys Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Auth Ticket Denied, User Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Auth Ticket Denied, Sys Acct | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Clients Credentials For Server Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4768 : Kerberos Auth Ticket (TGT) Requested | Sub Rule | Computer Logon | Authentication Success | |
Field Is Too Long For This Implementation | Sub Rule | Field Is Too Long | Error | |
Generic Error | Sub Rule | Generic Error | Error | |
Inappropriate Type Of Checksum In Message | Sub Rule | Inappropriate Type Of Checksum | Error | |
Incorrect Sequence Number In Message | Sub Rule | Incorrect Sequence Number | Error | |
Alternative Authentication Method Required | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure | |
Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Specified Version Of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
Clock Skew Too Great | Sub Rule | Clock Skew Too Great | Warning | |
Ticket And Authenticator Do Not Match | Sub Rule | User Logon Failure | Authentication Failure | |
The Ticket Is Not For Us | Sub Rule | User Logon Failure | Authentication Failure | |
Request Is A Replay | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Integrity Check On Decrypted Field Failed | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
Additional Pre-authentication Required | Sub Rule | User Logon Failure | Authentication Failure | |
Pre-auth Information Was Invalid | Sub Rule | User Logon Failure | Authentication Failure | |
Password Has Expired | Sub Rule | User Logon Failure : Bad Password | Authentication Failure | |
Server Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
Credentials For Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
Clients Credentials For Server Have Been Revoked | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Transited Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Padata Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Checksum Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Has No Support For Encryption Type | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Cannot Accommodate Request Option | Sub Rule | User Logon Failure | Authentication Failure | |
KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure | |
Requested Start Time Is Later Than End Time | Sub Rule | User Logon Failure | Authentication Failure | |
Ticket Not Eligible For Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure | |
Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
Multiple Principal Entries In Database | Sub Rule | User Logon Failure | Authentication Failure | |
Server Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Client Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
Server Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Client Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance | |
Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
EVID 4770 : Ticket Renewed, System Acct | Sub Rule | Authentication Activity | Authentication Success |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1011091 | V 2.0 : EVID 4769-4770 : Kerberos TGS Messages | Base Rule | General Audit Message | Other Audit |
V 2.0 : EVID 4769 : TGS Ticket Issued | Sub Rule | Object Accessed | Access Success | |
V 2.0 : EVID 4769 : TGS Request Denied Invalid Usr | Sub Rule | Access Object Failure | Access Failure | |
V 2.0 : EVID 4769 : TGS Request Denied Invld Cert | Sub Rule | Access Object Failure | Access Failure | |
V 2.0 : EVID 4769 : TGS Request Denied Credentls | Sub Rule | Access Object Failure | Access Failure | |
V 2.0 : EVID 4769 : TGS Request Denied Pswrd Exp | Sub Rule | Access Object Failure | Access Failure | |
V 2.0 : EVID 4769 : TGS Request Denied Bad Expird | Sub Rule | Access Object Failure | Access Failure | |
V 2.0 : EVID 4770 : TGS Ticket Renewed | Sub Rule | Object Accessed | Access Success | |
V 2.0 : Credentials For Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked | |
V 2.0 : General Kerberos Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
V 2.0 : Clock Skew Too Great | Sub Rule | Clock Skew Too Great | Warning | |
V 2.0 : EVID 4769 : Serv Principal Valid Usr2Usr | Sub Rule | Domain Trust Information | Information | |
V 2.0 : Field Is Too Long For This Implementation | Sub Rule | Field Is Too Long | Error | |
V 2.0 : Generic Error | Sub Rule | Generic Error | Error | |
V 2.0 : Inappropriate Type Of Checksum In Message | Sub Rule | Inappropriate Type Of Checksum | Error | |
V 2.0 : Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error | |
V 2.0 : Incorrect Sequence Number In Message | Sub Rule | Incorrect Sequence Number | Error | |
V 2.0 : Integrity Check On Decrypted Field Failed | Sub Rule | Integrity Check On Decrypted Field Failed | Warning | |
V 2.0 : Invalid Message Type | Sub Rule | Invalid Message Type | Error | |
V 2.0 : Message Out Of Order | Sub Rule | Message Out Of Order | Error | |
V 2.0 : Message Stream Modified | Sub Rule | Message Stream Modified | Information | |
V 2.0 : Ticket Not Eligible For Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure | |
V 2.0 : Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : KDC Has No Support For Padata Type | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Specified Version Of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Server Not Found In Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Additional Pre-authentication Required | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Requested Start Time Is Later Than End Tim | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Ticket And Authenticator Do Not Match | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : The Ticket Is Not For Us | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Pre-auth Information Was Invalid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Server Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Multiple Principal Entries In Database | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Ticket Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Alternative Authentication Method Required | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Client Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Server Key Encrypted In Old Master Key | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Ticket Expired | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : Request Is A Replay | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : KDC Has No Support For Transited Type | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : KDC Has No Support For Checksum Type | Sub Rule | User Logon Failure | Authentication Failure | |
V 2.0 : KDC Cannot Accomodate Request Option | Sub Rule | User Logon Failure | Authentication Failure |