-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathXQL_Kerb_PreAuth_4771
61 lines (61 loc) · 6.75 KB
/
XQL_Kerb_PreAuth_4771
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Warning, this requires the XTH license
dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4771
| alter User_Name =arrayindex(regextract(action_evtlog_message, ".*Account Name:.*?(\w.*)\r\n"),0), SecurityID = arrayindex(regextract(action_evtlog_message, ".*Security ID:.*?(\w.*)\r\n"),0), ServiceName = arrayindex(regextract(action_evtlog_message, "Service Name:.*?(\w.*)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Client Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), FailCode = arrayindex(regextract(action_evtlog_message, "Failure Code:.*?(\w.*)\r\n"),0), Host_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0), PreAuthType = arrayindex(regextract(action_evtlog_message, "Pre-Authentication Type:.*?(\w.*)\r\n"),0)
| alter FailureReason = " "
| alter FailureReason = if(FailCode CONTAINS "0x0", "No error", FailureReason) // from https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
| alter FailureReason = if(FailCode CONTAINS "0x1", "Client's entry in database has expired", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2", "Server's entry in database has expired", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x3", "Requested protocol version number not supported", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x4", "Client's key encrypted in old master key", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x5", "Server's key encrypted in old master key", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x6", "Client not found in Kerberos database", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x7", "Server not found in Kerberos database", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x8", "Multiple principal entries in database", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x9", "The client or server has a null key", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xa", "Ticket not eligible for postdating", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xb", "Requested starttime is later than end time", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xc", "KDC policy rejects request", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xd", "KDC cannot accommodate requested option", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xe", "KDC has no support for encryption type", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0xf", "KDC has no support for checksum type", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x10", "KDC has no support for PADATA type (pre-authentication data)", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x11", "KDC has no support for transited type", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x12", "Clients credentials have been revoked", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x13", "Credentials for server have been revoked", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x14", "TGT has been revoked", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x15", "Client not yet valid; try again later", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x16", "Server not yet valid; try again later", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x17", "Password has expired—change password to reset", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x18", "Pre-authentication information was invalid", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x19", "Additional pre-authentication required", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x1a", "Requested server and ticket don't match", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x1b", "Server principal valid for user2user only", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x1c", "KDC Policy rejects transited path", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x1d", "A service is not available", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x1f", "Integrity check on decrypted field failed", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x20", "Ticket expired", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x21", "Ticket not yet valid", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x22", "Request is a replay", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x23", "The ticket isn't for us", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x24", "Ticket and authenticator don't match", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x25", "Clock skew too great", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x26", "Incorrect net address", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x27", "Protocol version mismatch", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x28", "Invalid msg type", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x29", "Message stream modified", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2a", "Message out of order", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2c", "Specified version of key is not available", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2d", "Service key not available", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2e", "Mutual authentication failed", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x2f", "Incorrect message direction", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x30", "Alternative authentication method required", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x31", "Incorrect sequence number in message", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x32", "Inappropriate type of checksum in message", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x33", "Policy rejects transited path", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x34", "Response too big for UDP; retry with TCP", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x3c", "Generic error (description in e-text)", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x3d", "Field is too long for this implementation", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x43", "No TGT available to validate USER-TO-USER", FailureReason)
| alter FailureReason = if(FailCode CONTAINS "0x45", "Ticket must be for USER-TO-USER", FailureReason)
| fields User_Name, SecurityID, ServiceName, Source_IP,PreAuthType, Failcode, FailureReason // Select all the fields to show them