EVID 4769 : Kerberos Events (Security)

Event Details

Event Type	Audit Kerberos Service Ticket Operations
Event Description	4769(S, F) : A Kerberos service ticket was requested.
Event ID	4769

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Provider	N/A	N/A
EventID	<vmid>	<vmid>
Version	N/A	N/A
Level	<severity>	<severity>
Task	<subject>, <vendorinfo>	<vendorinfo>
Opcode	N/A	N/A
Keywords	<tag1>	<result>, <tag3>
TimeCreated	N/A	N/A
EventRecordID	N/A	N/A
Correlation	N/A	N/A
Execution	<processid>	N/A
Processid	N/A	N/A
Channel	N/A	N/A
Computer	<dname>	N/A
TargetUserName	<login>	N/A
TargetDomainName	N/A	N/A
SubjectUserName	N/A	<login>
SubjectDomainName	N/A	<domainorigin>
SubjectLogonId	N/A	N/A
Ticket Options	N/A	<command>
Ticket Encryption Type	N/A	<policy>
ReasonCode	N/A	N/A
ReasonText	N/A	N/A
ErrorCode	N/A	N/A
serviceName	<process>	<dname>, <process>
TicketOptions	<policy>	N/A
status	N/A	<responsecode>, <tag1>
TicketEncryptionType	<version>	N/A
IpAddress	<sip>	<sip>
Ip Port	<sport>	<sport>
status	N/A	N/A
FailureCode	<objectname>, <tag3>	N/A
Pre-Authentication Type	<object>	N/A
AccountName	<login>, <tag2>	N/A
AccountDomain	<domain>	N/A
Result Code	<objectname>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1010216	EVID 4769 : Kerberos Events	Base Rule	Authentication Activity	Authentication Success
	EVID 4769 : Serv Principal Valid User-To-User Only	Sub Rule	Domain Trust Information	Information
	Audit Success	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769 : Svc Ticket Granted, User Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769 : Svc Ticket Granted, Sys Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769 : Svc Ticket Granted, Sys Acct	Sub Rule	Authentication Activity	Authentication Success
	EVID 4769 : Svc Ticket Granted, User Acct	Sub Rule	Authentication Activity	Authentication Success
	Audit Failure	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4769 : Svc Ticket Denied, User Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4769 : Svc Ticket Denied, User Acct	Sub Rule	User Logon Failure	Authentication Failure
	EVID 4769 : Svc Ticket Denied, Sys Acct	Sub Rule	Computer Logon Failure	Authentication Failure
	EVID 4769 : Svc Ticket Denied, Sys Acct	Sub Rule	Computer Logon Failure	Authentication Failure

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011091	V 2.0 : EVID 4769-4770 : Kerberos TGS Messages	Base Rule	General Audit Message	Other Audit
	V 2.0 : EVID 4769 : TGS Ticket Issued	Sub Rule	Object Accessed	Access Success
	V 2.0 : EVID 4769 : TGS Request Denied Invalid Usr	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4769 : TGS Request Denied Invld Cert	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4769 : TGS Request Denied Credentls	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4769 : TGS Request Denied Pswrd Exp	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4769 : TGS Request Denied Bad Expird	Sub Rule	Access Object Failure	Access Failure
	V 2.0 : EVID 4770 : TGS Ticket Renewed	Sub Rule	Object Accessed	Access Success
	V 2.0 : Credentials For Server Have Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0 : TGT Has Been Revoked	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0 : General Kerberos Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
	V 2.0 : Clock Skew Too Great	Sub Rule	Clock Skew Too Great	Warning
	V 2.0 : EVID 4769 : Serv Principal Valid Usr2Usr	Sub Rule	Domain Trust Information	Information
	V 2.0 : Field Is Too Long For This Implementation	Sub Rule	Field Is Too Long	Error
	V 2.0 : Generic Error	Sub Rule	Generic Error	Error
	V 2.0 : Inappropriate Type Of Checksum In Message	Sub Rule	Inappropriate Type Of Checksum	Error
	V 2.0 : Incorrect Message Direction	Sub Rule	Incorrect Message Direction	Error
	V 2.0 : Incorrect Sequence Number In Message	Sub Rule	Incorrect Sequence Number	Error
	V 2.0 : Integrity Check On Decrypted Field Failed	Sub Rule	Integrity Check On Decrypted Field Failed	Warning
	V 2.0 : Invalid Message Type	Sub Rule	Invalid Message Type	Error
	V 2.0 : Message Out Of Order	Sub Rule	Message Out Of Order	Error
	V 2.0 : Message Stream Modified	Sub Rule	Message Stream Modified	Information
	V 2.0 : Ticket Not Eligible For Postdating	Sub Rule	Modify Object Attribute Failure	Access Failure
	V 2.0 : Client Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : KDC Has No Support For Padata Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Specified Version Of Key Is Not Available	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Client Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Server Not Found In Kerberos Database	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Additional Pre-authentication Required	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Requested Start Time Is Later Than End Tim	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Ticket And Authenticator Do Not Match	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Protocol Version Mismatch	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : The Ticket Is Not For Us	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Pre-auth Information Was Invalid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Service Key Not Available	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Server Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Multiple Principal Entries In Database	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Ticket Not Yet Valid	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Alternative Authentication Method Required	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Incorrect Net Address	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Client Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Server Database Entry Has Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Server Key Encrypted In Old Master Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Client Or Server Has Null Key	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Ticket Expired	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : Request Is A Replay	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : KDC Has No Support For Transited Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : KDC Has No Support For Checksum Type	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 : KDC Cannot Accomodate Request Option	Sub Rule	User Logon Failure	Authentication Failure

[data-colorid=k0dwt19gor]{color:#0563c1} html[data-color-mode=dark] [data-colorid=k0dwt19gor]{color:#3e9cfa}Event Details

Log Fields and Parsing

Log Processing Settings

LogRhythm Default

LogRhythm Default v2.0

Event Details