V 2.0 : EVID 4769, 4770 : Kerberos TGS Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : EVID 4769, 4770 : Kerberos TGS Messages | Base Rule | General Audit Message | Other Audit |
| V 2.0 : EVID 4769 : TGS Ticket Issued | Sub Rule | Object Accessed | Access Success |
| V 2.0 : EVID 4769 : TGS Request Denied Invalid User | Sub Rule | Access Object Failure | Access Failure |
| V 2.0 : EVID 4769 : TGS Request Denied Invalid Cert | Sub Rule | Access Object Failure | Access Failure |
| V 2.0 : EVID 4769 : TGS Request Denied Credentials | Sub Rule | Access Object Failure | Access Failure |
| V 2.0 : EVID 4769 : TGS Request Denied Password Expired | Sub Rule | Access Object Failure | Access Failure |
| V 2.0 : EVID 4769 : TGS Request Denied Bad Expired | Sub Rule | Access Object Failure | Access Failure |
| V 2.0 : EVID 4770 : TGS Ticket Renewed | Sub Rule | Object Accessed | Access Success |
| V 2.0 : Credentials for Server Have Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0 : TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0 : General Kerberos Failure | Sub Rule | Authentication Failure Activity | Authentication Failure |
| V 2.0 : Clock Skew Too Great | Sub Rule | Clock Skew Too Great | Warning |
| V 2.0 : EVID 4769 : Serv Principal Valid Usr2Usr | Sub Rule | Domain Trust Information | Information |
| V 2.0 : Field Is Too Long for This Implementation | Sub Rule | Field Is Too Long | Error |
| V 2.0 : Generic Error | Sub Rule | Generic Error | Error |
| V 2.0 : Inappropriate Type of Checksum in Message | Sub Rule | Inappropriate Type Of Checksum | Error |
| V 2.0 : Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error |
| V 2.0 : Incorrect Sequence Number in Message | Sub Rule | Incorrect Sequence Number | Error |
| V 2.0 : Integrity Check on Decrypted Field Failed | Sub Rule | Integrity Check On Decrypted Field Failed | Warning |
| V 2.0 : Invalid Message Type | Sub Rule | Invalid Message Type | Error |
| V 2.0 : Message Out of Order | Sub Rule | Message Out Of Order | Error |
| V 2.0 : Message Stream Modified | Sub Rule | Message Stream Modified | Information |
| V 2.0 : Ticket Not Eligible for Postdating | Sub Rule | Modify Object Attribute Failure | Access Failure |
| V 2.0 : Client Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : KDC Has No Support for Padata Type | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Specified Version of Key Is Not Available | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Server Not Found in Kerberos Database | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Additional Pre-authentication Required | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Requested Start Time Is Later Than End Tim | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Ticket and Authenticator Do Not Match | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : The Ticket Is Not for Us | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Pre-auth Information Was Invalid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Server Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Multiple Principal Entries in Database | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Ticket Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Alternative Authentication Method Required | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Client Key Encrypted in Old Master Key | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Server Database Entry Has Expired | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Server Key Encrypted in Old Master Key | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Client or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Ticket Expired | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : Request Is a Replay | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : KDC Has No Support for Transited Type | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : KDC Has No Support for Checksum Type | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : KDC Cannot Accommodate Request Option | Sub Rule | User Logon Failure | Authentication Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result>, <tag3> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| TargetUserName | <login> | Text/String | The user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with $ character in the user name part. This field typically has the following value format: user_account_name@FULL\_DOMAIN\_NAME.
|
| TargetDomainName | <domainorigin> | Text/String | The name of the Kerberos Realm that Account Name belongs to. This can appear in a variety of formats, including the following:
This parameter in this event is optional and can be empty in some cases. |
| ServiceName | <account>, <process> | Text/String | The name of the account or computer for which the TGS ticket was requested. This parameter in this event is optional and can be empty in some cases. |
| ServiceSid | N/A | N/A | SID of the account or computer object for which the TGS ticket was requested. |
| TicketOptions | <command> | Number | This is a set of different Ticket Flags in hexadecimal format. |
| TicketEncryptionType | <policy> | Number | The cryptographic suite that was used for issued TGS. |
| IpAddress | <sip> | IP Address | IP address of the computer from which the TGS request was received. Formats vary, and include the following:
|
| IpPort | <sport> | Number | The source port number of client network connection (TGS request connection). 0 for local (localhost) requests. |
| Status | <responsecode>, <tag1> | Number | A hexadecimal result code of TGS issue operation. |
| LogonGuid | N/A | N/A | A GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same Logon GUID. |
| TransmittedServices | N/A | N/A | This field contains a list of SPNs which were requested if Kerberos delegation was used. |