Event Details

Event TypeAudit Kerberos Service Ticket Operations
Event Description
  • 4769(S, F) : A Kerberos service ticket was requested.
  • 4770(S) : A Kerberos service ticket was renewed.
Event IDs4769, 4770

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>, <tag3>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ProcessidN/AN/A
ChannelN/AN/A
Computer<dname>N/A
TargetUserName<login>N/A
TargetDomainNameN/AN/A
SubjectUserNameN/A<login>
SubjectDomainNameN/A<domainorigin>
SubjectLogonIdN/AN/A
TicketOptionsN/A<command>
Ticket EncryptionTypeN/A<policy>
ReasonCodeN/AN/A
ReasonTextN/AN/A
ErrorCodeN/AN/A
serviceNameN/A<dname>, <process>
TicketOptionsN/AN/A
statusN/A<responsecode>, <tag1>
TicketEncryptionTypeN/AN/A
IpAddress<sip><sip>
Ip Port<sport><sport>
statusN/AN/A
FailureCode<tag3>N/A
Pre-Authentication TypeN/AN/A
AccountName<account>, <tag2>N/A
AccountDomain<domain>N/A
Result CodeN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1004691EVID 4768 - 4771 : Kerberos EventsBase RuleAuthentication ActivityAuthentication Success
General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
EVID 4768 : Auth Ticket Granted, User AcctSub RuleUser LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, User AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, User AccountSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Serv Principal Valid User-To-User OnlySub RuleDomain Trust InformationInformation
EVID 4770 : Ticket Renew Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket Renew Denied, Sys AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Sys AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, User AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, Sys AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Clients Credentials For Server RevokedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Kerberos Auth Ticket (TGT) RequestedSub RuleComputer LogonAuthentication Success
Field Is Too Long For This ImplementationSub RuleField Is Too LongError
Generic ErrorSub RuleGeneric ErrorError
Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
Incorrect Message DirectionSub RuleIncorrect Message DirectionError
Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
Message Out Of OrderSub RuleMessage Out Of OrderError
Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
Invalid Message TypeSub RuleInvalid Message TypeError
Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
Password Has ExpiredSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Clients Credentials For Server Have Been RevokedSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Encryption TypeSub RuleUser Logon FailureAuthentication Failure
KDC Cannot Accommodate Request OptionSub RuleUser Logon FailureAuthentication Failure
KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
Requested Start Time Is Later Than End TimeSub RuleUser Logon FailureAuthentication Failure
Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance
Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket Renewed, System AcctSub RuleAuthentication ActivityAuthentication Success

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011091
















































V 2.0 : EVID 4769-4770 : Kerberos TGS MessagesBase RuleGeneral Audit MessageOther Audit
V 2.0 : EVID 4769 : TGS Ticket IssuedSub RuleObject AccessedAccess Success
V 2.0 : EVID 4769 : TGS Request Denied Invalid UsrSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Invld CertSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied CredentlsSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Pswrd ExpSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4769 : TGS Request Denied Bad ExpirdSub RuleAccess Object FailureAccess Failure
V 2.0 : EVID 4770 : TGS Ticket RenewedSub RuleObject AccessedAccess Success
V 2.0 : Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 : Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
V 2.0 : EVID 4769 : Serv Principal Valid Usr2UsrSub RuleDomain Trust InformationInformation
V 2.0 : Field Is Too Long For This ImplementationSub RuleField Is Too LongError
V 2.0 : Generic ErrorSub RuleGeneric ErrorError
V 2.0 : Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
V 2.0 : Incorrect Message DirectionSub RuleIncorrect Message DirectionError
V 2.0 : Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
V 2.0 : Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
V 2.0 : Invalid Message TypeSub RuleInvalid Message TypeError
V 2.0 : Message Out Of OrderSub RuleMessage Out Of OrderError
V 2.0 : Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
V 2.0 : Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
V 2.0 : Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Requested Start Time Is Later Than End TimSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : KDC Cannot Accomodate Request OptionSub RuleUser Logon FailureAuthentication Failure