Skip to main content
Skip table of contents

EVID 4769 : Kerberos Events (Security)

Event Details

Event TypeAudit Kerberos Service Ticket Operations
Event Description4769(S, F) : A Kerberos service ticket was requested.
Event ID4769

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
Task<subject>, <vendorinfo><vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>, <tag3>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
Execution<processid>N/A
ProcessidN/AN/A
ChannelN/AN/A
Computer<dname>N/A
TargetUserName<login>N/A
TargetDomainNameN/AN/A
SubjectUserNameN/A<login>
SubjectDomainNameN/A<domainorigin>
SubjectLogonIdN/AN/A
Ticket OptionsN/A<command>
Ticket Encryption TypeN/A<policy>
ReasonCodeN/AN/A
ReasonTextN/AN/A
ErrorCodeN/AN/A
serviceName<process><dname>, <process>
TicketOptions<policy>N/A
statusN/A<responsecode>, <tag1>
TicketEncryptionType<version>N/A
IpAddress<sip><sip>
Ip Port<sport><sport>
statusN/AN/A
FailureCode<objectname>, <tag3>N/A
Pre-Authentication Type<object>N/A
AccountName<login>, <tag2>N/A
AccountDomain<domain>N/A
Result Code<objectname>N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1010216EVID 4769 : Kerberos EventsBase RuleAuthentication ActivityAuthentication Success
EVID 4769 : Serv Principal Valid User-To-User OnlySub RuleDomain Trust InformationInformation
Audit SuccessSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
Audit FailureSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleComputer Logon FailureAuthentication Failure

LogRhythm Default v2.0 

Regex IDRule NameRule TypeCommon EventClassification
1011091V 2.0 : EVID 4769-4770 : Kerberos TGS MessagesBase RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4769 : TGS Ticket IssuedSub RuleObject AccessedAccess Success
V 2.0 : EVID 4769 : TGS Request Denied Invalid UsrSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Invld CertSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied CredentlsSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Pswrd ExpSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Bad ExpirdSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4770 : TGS Ticket RenewedSub RuleObject AccessedAccess Success
V 2.0 : Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 : Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
V 2.0 : EVID 4769 : Serv Principal Valid Usr2UsrSub RuleDomain Trust InformationInformation
V 2.0 : Field Is Too Long For This ImplementationSub RuleField Is Too LongError
V 2.0 : Generic ErrorSub RuleGeneric ErrorError
V 2.0 : Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
V 2.0 : Incorrect Message DirectionSub RuleIncorrect Message DirectionError
V 2.0 : Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
V 2.0 : Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
V 2.0 : Invalid Message TypeSub RuleInvalid Message TypeError
V 2.0 : Message Out Of OrderSub RuleMessage Out Of OrderError
V 2.0 : Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
V 2.0 : Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
V 2.0 : Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Requested Start Time Is Later Than End TimSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Cannot Accomodate Request OptionSub RuleUser Logon FailureAuthentication Failure


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.