V 2.0 : EVID 4768, 4771 : Kerberos TGT Failure Message
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: EVID 4768, 4771: Kerberos TGT Failure Message | Base Rule | General Authentication Event | Other Audit |
| V 2.0: EVID 4768: Computer Logon Success | Sub Rule | Computer Logon | Authentication Success |
| V 2.0: EVID 4768: User Logon Success | Sub Rule | User Logon | Authentication Success |
| V 2.0: EVID 4768: Computer Logon Failure - Bad Username | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Unsupported | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Invalid | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Credential | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Password | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Bad Password | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Expired | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Ticket | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Duplicate | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Bad User | Sub Rule | User Logon Failure: Bad Username | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Unsupported | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure- Invalid Ce | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Credential | Sub Rule | User Logon Failure: Account Disabled | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Password Expired | Sub Rule | User Logon Failure: Bad Password | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Bad Password | Sub Rule | User Logon Failure: Bad Password | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Expired Ticket | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Ticket Not | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Duplicated | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4771: Computer Logon Failure - Invalid | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4771: Computer Logon Failure- Password | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4771: Computer Logon Failure - Bad Password | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0: EVID 4771: User Logon Failure - Invalid Cert | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4771: User Logon Failure - Password Expired | Sub Rule | User Logon Failure: Bad Password | Authentication Failure |
| V 2.0: EVID 4771: User Logon Failure Bad Password | Sub Rule | User Logon Failure: Bad Password | Authentication Failure |
| V 2.0: EVID 4768: Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: KDC Has No Support for Transited | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: KDC Has No Support for Transited | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Additional Pre-auth Required | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: The Ticket Is Not From User | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Ticket & Authenticator Do Not | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Specified Version of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Alternative Auth Method | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Client Key Encrypted in Old Mst | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Server Key Encrypted in Old Ms | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Client Nt Found in Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Server Nt Found in Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Multiple Principal Enters in DB | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: KDC Cannot Accommodate Req Optn | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: KDC Has No Support for Checksum | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: EVID 4768: Credentials for Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0: EVID 4768: TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0: EVID 4768: Integrity Check on Decrypt Field | Sub Rule | Integrity Check On Decrypted Field Failed | Warning |
| V 2.0: EVID 4768: Invalid Message Type | Sub Rule | Invalid Message Type | Error |
| V 2.0: EVID 4768: Message Stream Modified | Sub Rule | Message Stream Modified | Information |
| V 2.0: EVID 4768: Message Out of Order | Sub Rule | Message Out Of Order | Error |
| V 2.0: EVID 4768: Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error |
| V 2.0: EVID 4768: Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance |
| V 2.0: EVID 4768: Incorrect Sequence Number in Message | Sub Rule | Incorrect Sequence Number | Error |
| V 2.0: EVID 4768: Inapt Type of Checksum in Msg | Sub Rule | Inappropriate Type Of Checksum | Error |
| V 2.0: EVID 4768: Generic Error | Sub Rule | Generic Error | Error |
| V 2.0: EVID 4768: Field Is Too Long for This Imp | Sub Rule | Field Is Too Long | Error |
| V 2.0: EVID 4768: Ticket Not Eligible for Postda | Sub Rule | Modify Object Attribute Failure | Access Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result> <tag3> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| TargetUserName | <login> | Text/String | The name of account, for which (TGT) ticket was requested. Computer account name ends with $ character. |
| TargetDomainName | <domainorigin> | Text/String | The name of the Kerberos Realm that Account Name belongs to. This can appear in a variety of formats, including the following:
|
| TargetSid | N/A | N/A | The SID of account for which (TGT) ticket was requested. |
| ServiceName | <process> | Text/String | The name of the service in the Kerberos Realm to which TGT request was sent. Typically has value krbtgt for TGT requests, which means Ticket Granting Ticket issuing service. For Failure events Service Name typically has the following format: krbtgt/REALM_NAME. |
| ServiceSid | N/A | N/A | The SID of the service account in the Kerberos Realm to which TGT request was sent. |
| TicketOptions | <command> | Text/String | This is a set of different ticket flags in hexadecimal format. |
| Status | <responsecode> <tag2> | Number | A hexadecimal result code of TGT issue operation. |
| TicketEncryptionType | <policy> | Text/String/Number | The cryptographic suite that was used for issued TGT. |
| PreAuthType | <sessiontype> | Number | The code number of pre-Authentication type which was used in TGT request. |
| IpAddress | <sip> | Number | IP address of the computer from which the TGT request was received. Formats vary, and include the following:
|
| IpPort | <sport> | Number | The source port number of the client network connection (TGT request connection). 0 for local (localhost) requests. |
| CerIssuerName | <subject> | Text/String | The name of the Certification Authority that issued the smart card certificate. Populated in Issued by field in the certificate. |
| CertSerialNumber | N/A | N/A | The smart card certificate’s serial number. Can be found in Serial number field in the certificate. |
| CertThumbprint | N/A | N/A | The smart card certificate’s thumbprint. Can be found in the Thumbprint field in the certificate. |