Skip to main content
Skip table of contents

V 2.0 : EVID 4769, 4770 : Kerberos TGS Messages

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 : EVID 4769, 4770 : Kerberos TGS MessagesBase RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4769 : TGS Ticket IssuedSub RuleObject AccessedAccess Success
V 2.0 : EVID 4769 : TGS Request Denied Invalid UserSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Invalid CertSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied CredentialsSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Password ExpiredSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Bad ExpiredSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied KDC_ERRSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4770 : TGS Ticket RenewedSub RuleObject AccessedAccess Success
V 2.0 : Credentials for Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 : Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
V 2.0 : EVID 4769 : Serv Principal Valid Usr2UsrSub RuleDomain Trust InformationInformation
V 2.0 : Field Is Too Long for This ImplementationSub RuleField Is Too LongError
V 2.0 : Generic ErrorSub RuleGeneric ErrorError
V 2.0 : Inappropriate Type of Checksum in MessageSub RuleInappropriate Type Of ChecksumError
V 2.0 : Incorrect Message DirectionSub RuleIncorrect Message DirectionError
V 2.0 : Incorrect Sequence Number in MessageSub RuleIncorrect Sequence NumberError
V 2.0 : Integrity Check on Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
V 2.0 : Invalid Message TypeSub RuleInvalid Message TypeError
V 2.0 : Message Out of OrderSub RuleMessage Out Of OrderError
V 2.0 : Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
V 2.0 : Ticket Not Eligible for PostdatingSub RuleModify Object Attribute FailureAccess Failure
V 2.0 : Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support for Padata TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Specified Version of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Found in Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Requested Start Time Is Later Than End TimSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket and Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : The Ticket Is Not for UsSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Multiple Principal Entries in DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Key Encrypted in Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Key Encrypted in Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Request Is a ReplaySub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support for Transited TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support for Checksum TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Cannot Accommodate Request OptionSub RuleUser Logon FailureAuthentication Failure

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
ProviderN/AN/AIdentifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events. The EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID<vmid>

NumberThe identifier that the provider used to identify the event.
VersionN/A N/AThe version number of the event's definition.
Level<severity>Text/StringThe severity level defined in the event.
Task<vendorinfo>Text/StringThe task defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
OpcodeN/A N/AThe opcode defined in the event. Task and Opcode are typically used to identify the location in the application from where the event was logged.
Keywords<result>, <tag3>Text/StringA bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreatedN/A N/AThe time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
EventRecordIDN/A N/AThe record number assigned to the event when it was logged.
CorrelationN/A N/AThe activity identifiers that consumers can use to group related events together.
ExecutionN/A N/AContains information about the process and thread that logged the event.
ChannelN/A N/AThe channel to which the event was logged.
Computer<dname>Text/StringThe name of the computer on which the event occurred.
TargetUserName<login>Text/StringThe user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with $ character in the user name part. This field typically has the following value format: user_account_name@FULL\_DOMAIN\_NAME.
  • User account example: dadmin@CONTOSO.LOCAL
  • Computer account example: WIN81$@CONTOSO.LOCAL
TargetDomainName<domainorigin>Text/StringThe name of the Kerberos Realm that Account Name belongs to. This can appear in a variety of formats, including the following:
  • Domain NETBIOS name example: CONTOSO
  • Lowercase full domain name: contoso.local
  • Uppercase full domain name: CONTOSO.LOCAL

This parameter in this event is optional and can be empty in some cases.
ServiceName<account>,
<process>
Text/String

The name of the account or computer for which the TGS ticket was requested.

This parameter in this event is optional and can be empty in some cases.

ServiceSidN/AN/ASID of the account or computer object for which the TGS ticket was requested.
TicketOptions<command>NumberThis is a set of different Ticket Flags in hexadecimal format.
TicketEncryptionType<policy>NumberThe cryptographic suite that was used for issued TGS.
IpAddress<sip>IP AddressIP address of the computer from which the TGS request was received. Formats vary, and include the following:
  • IPv6 or IPv4 address.
  • ::ffff:IPv4_address.
  • ::1 - localhost.
IpPort<sport>Number

The source port number of client network connection (TGS request connection).

0 for local (localhost) requests.

Status<responsecode>,
<tag1>
NumberA hexadecimal result code of TGS issue operation.
LogonGuidN/A N/AA GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same Logon GUID.
TransmittedServicesN/A N/AThis field contains a list of SPNs which were requested if Kerberos delegation was used.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.