V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg
Vendor Documentation
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 |
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : EVID 4768-4771 : Kerberos TGT Failure Msg | Base Rule | General Authentication Event | Other Audit |
| V 2.0 : EVID 4768 : Computer Logon Success | Sub Rule | Computer Logon | Authentication Success |
| V 2.0 : EVID 4768 : User Logon Success | Sub Rule | User Logon | Authentication Success |
| V 2.0 : EVID 4768 : Computer Logon Failure -Bad Us | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure-Unsprt | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure Invald | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Flr Credential | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure Pswrd | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure Bad Pas | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure - Expir | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure - Tkt | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure-Duplkte | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Computer Logon Failure - Clock | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure- Bad User | Sub Rule | User Logon Failure : Bad Username | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure - Unsupport | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure- Invalid Ce | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure - Credentia | Sub Rule | User Logon Failure : Account Disabled | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure- Password E | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure- Bad Pswrd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure Expired Tkt | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure Ticket Not | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure Duplicated | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : User Logon Failure - Clock Out | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4771 : Computer Logon Failure - Invld | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4771 : Computer Logon Failure- Paswrd | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4771 : Computer Logon Fail Bad Pswrd | Sub Rule | Computer Logon Failure | Authentication Failure |
| V 2.0 : EVID 4771 : User Logon Failure Invalid Cer | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4771 : User Logon Fail Password Exprd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
| V 2.0 : EVID 4771 : User Logon Failure Bad Pswrd | Sub Rule | User Logon Failure : Bad Password | Authentication Failure |
| V 2.0 : EVID 4768 : Client Database Entry Has Expr | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : KDC Has No Suprt For Transited | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Client Not Yet Valid | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : KDC Has No Suprt For Transited | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Additional Pre-auth Required | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Server Database Entry Has Expr | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : The Tkt Is Not Fr User | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Ticket & Authenticator Do Not | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Incorrect Net Address | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Protocol Version Mismatch | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Specified Ver Of Key Is Not Av | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Service Key Not Available | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Mutual Authentication Failed | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Alternative Auth Method | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Client Key Encypted In Old Mst | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Server Key Encrypted In Old Ms | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Client Nt Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Server Nt Found In Kerberos DB | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Multiple Principal Entrs In Db | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Client Or Server Has Null Key | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : KDC Policy Rejects Request | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : KDC Cannot Accomodate Req Optn | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : KDC Has No Support For Checksm | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0 : EVID 4768 : Cred For Server Have Been Rvkd | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0 : EVID 4768 : TGT Has Been Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| V 2.0 : EVID 4768 : Integrity Chk On Decrypt Field | Sub Rule | Integrity Check On Decrypted Field Failed | Warning |
| V 2.0 : EVID 4768 : Invalid Message Type | Sub Rule | Invalid Message Type | Error |
| V 2.0 : EVID 4768 : Message Stream Modified | Sub Rule | Message Stream Modified | Information |
| V 2.0 : EVID 4768 : Message Out Of Order | Sub Rule | Message Out Of Order | Error |
| V 2.0 : EVID 4768 : Incorrect Message Direction | Sub Rule | Incorrect Message Direction | Error |
| V 2.0 : EVID 4768 : Unsupported Protocol | Sub Rule | Reconnaissance Activity | Reconnaissance |
| V 2.0 : EVID 4768 : Incorrect Seq No In Message | Sub Rule | Incorrect Sequence Number | Error |
| V 2.0 : EVID 4768 : Inapt Typ Of Chcksum In Msg | Sub Rule | Inappropriate Type Of Checksum | Error |
| V 2.0 : EVID 4768 : Generic Error | Sub Rule | Generic Error | Error |
| V 2.0 : EVID 4768 : Field Is Too Long For This Imp | Sub Rule | Field Is Too Long | Error |
| V 2.0 : EVID 4768 : Ticket Not Eligible For Postda | Sub Rule | Modify Object Attribute Failure | Access Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | <vendorinfo> | Text/String | The task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | <result>, <tag3> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| TargetUserName | <login>, <tag1> | Text/String | The user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with $ character in the user name part. This field typically has the following value format: user_account_name@FULL\_DOMAIN\_NAME.
|
| TargetDomainName | <domainorigin> | Text/String | The name of the Kerberos Realm that Account Name belongs to. This can appear in a variety of formats, including the following:
This parameter in this event is optional and can be empty in some cases. |
| ServiceName | <process> | Text/String | The name of the account or computer for which the TGS ticket was requested. This parameter in this event is optional and can be empty in some cases. |
| ServiceSid | N/A | N/A | SID of the account or computer object for which the TGS ticket was requested. |
| TicketOptions | <command> | Number | This is a set of different Ticket Flags in hexadecimal format. |
| Status | <responsecode>, <tag2> | Number | A hexadecimal result code of TGS issue operation. |
| TicketEncryptionType | <policy> | Number | The cryptographic suite that was used for issued TGS. |
| PreAuthType | <sessiontype> | Number | the code number of pre-Authentication type which was used in TGT request. |
| IpAddress | <sip> | IP Address | IP address of the computer from which the TGS request was received. Formats vary, and include the following:
|
| IpPort | <sport> | Number | The source port number of client network connection (TGS request connection). 0 for local (localhost) requests. |
| CerIssuerName | <subject> | Text/String | the name of the Certification Authority that issued the smart card certificate. Populated in Issued by field in certificate. |
| LogonGuid | N/A | N/A | A GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same Logon GUID. |
| TransmittedServices | N/A | N/A | This field contains a list of SPNs which were requested if Kerberos delegation was used. |