Event Details
|
Event Type |
Audit Kerberos Service Ticket Operations |
|---|---|
|
Event Description |
4769(S, F) : A Kerberos service ticket was requested. |
|
Event ID |
4769 |
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Provider |
N/A |
N/A |
|
EventID |
<vmid> |
<vmid> |
|
Version |
N/A |
N/A |
|
Level |
<severity> |
<severity> |
|
Task |
<subject>, <vendorinfo> |
<vendorinfo> |
|
Opcode |
N/A |
N/A |
|
Keywords |
<tag1> |
<result>, <tag3> |
|
TimeCreated |
N/A |
N/A |
|
EventRecordID |
N/A |
N/A |
|
Correlation |
N/A |
N/A |
|
Execution |
<processid> |
N/A |
|
Processid |
N/A |
N/A |
|
Channel |
N/A |
N/A |
|
Computer |
<dname> |
N/A |
|
TargetUserName |
<login> |
N/A |
|
TargetDomainName |
N/A |
N/A |
|
SubjectUserName |
N/A |
<login> |
|
SubjectDomainName |
N/A |
<domainorigin> |
|
SubjectLogonId |
N/A |
N/A |
|
Ticket Options |
N/A |
<command> |
|
Ticket Encryption Type |
N/A |
<policy> |
|
ReasonCode |
N/A |
N/A |
|
ReasonText |
N/A |
N/A |
|
ErrorCode |
N/A |
N/A |
|
serviceName |
<process> |
<dname>, <process> |
|
TicketOptions |
<policy> |
N/A |
|
status |
N/A |
<responsecode>, <tag1> |
|
TicketEncryptionType |
<version> |
N/A |
|
IpAddress |
<sip> |
<sip> |
|
Ip Port |
<sport> |
<sport> |
|
status |
N/A |
N/A |
|
FailureCode |
<objectname>, <tag3> |
N/A |
|
Pre-Authentication Type |
<object> |
N/A |
|
AccountName |
<login>, <tag2> |
N/A |
|
AccountDomain |
<domain> |
N/A |
|
Result Code |
<objectname> |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1010216 |
EVID 4769 : Kerberos Events |
Base Rule |
Authentication Activity |
Authentication Success |
|
EVID 4769 : Serv Principal Valid User-To-User Only |
Sub Rule |
Domain Trust Information |
Information |
|
|
Audit Success |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, User Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, Sys Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, Sys Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 4769 : Svc Ticket Granted, User Acct |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
Audit Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Svc Ticket Denied, User Acct |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Svc Ticket Denied, User Acct |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Svc Ticket Denied, Sys Acct |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
|
|
EVID 4769 : Svc Ticket Denied, Sys Acct |
Sub Rule |
Computer Logon Failure |
Authentication Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1011091 |
V 2.0 : EVID 4769-4770 : Kerberos TGS Messages |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0 : EVID 4769 : TGS Ticket Issued |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : EVID 4769 : TGS Request Denied Invalid Usr |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4769 : TGS Request Denied Invld Cert |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4769 : TGS Request Denied Credentls |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4769 : TGS Request Denied Pswrd Exp |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4769 : TGS Request Denied Bad Expird |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
V 2.0 : EVID 4770 : TGS Ticket Renewed |
Sub Rule |
Object Accessed |
Access Success |
|
|
V 2.0 : Credentials For Server Have Been Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
V 2.0 : TGT Has Been Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
|
V 2.0 : General Kerberos Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 : Clock Skew Too Great |
Sub Rule |
Clock Skew Too Great |
Warning |
|
|
V 2.0 : EVID 4769 : Serv Principal Valid Usr2Usr |
Sub Rule |
Domain Trust Information |
Information |
|
|
V 2.0 : Field Is Too Long For This Implementation |
Sub Rule |
Field Is Too Long |
Error |
|
|
V 2.0 : Generic Error |
Sub Rule |
Generic Error |
Error |
|
|
V 2.0 : Inappropriate Type Of Checksum In Message |
Sub Rule |
Inappropriate Type Of Checksum |
Error |
|
|
V 2.0 : Incorrect Message Direction |
Sub Rule |
Incorrect Message Direction |
Error |
|
|
V 2.0 : Incorrect Sequence Number In Message |
Sub Rule |
Incorrect Sequence Number |
Error |
|
|
V 2.0 : Integrity Check On Decrypted Field Failed |
Sub Rule |
Integrity Check On Decrypted Field Failed |
Warning |
|
|
V 2.0 : Invalid Message Type |
Sub Rule |
Invalid Message Type |
Error |
|
|
V 2.0 : Message Out Of Order |
Sub Rule |
Message Out Of Order |
Error |
|
|
V 2.0 : Message Stream Modified |
Sub Rule |
Message Stream Modified |
Information |
|
|
V 2.0 : Ticket Not Eligible For Postdating |
Sub Rule |
Modify Object Attribute Failure |
Access Failure |
|
|
V 2.0 : Client Database Entry Has Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : KDC Has No Support For Padata Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Specified Version Of Key Is Not Available |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Client Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Server Not Found In Kerberos Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Additional Pre-authentication Required |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Requested Start Time Is Later Than End Tim |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Ticket And Authenticator Do Not Match |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Protocol Version Mismatch |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : The Ticket Is Not For Us |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Pre-auth Information Was Invalid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Service Key Not Available |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Server Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Multiple Principal Entries In Database |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Ticket Not Yet Valid |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Alternative Authentication Method Required |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Incorrect Net Address |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Client Key Encrypted In Old Master Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Server Database Entry Has Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Server Key Encrypted In Old Master Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Client Or Server Has Null Key |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Ticket Expired |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : Request Is A Replay |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : KDC Has No Support For Transited Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : KDC Has No Support For Checksum Type |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 : KDC Cannot Accomodate Request Option |
Sub Rule |
User Logon Failure |
Authentication Failure |