<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">Error_Code</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">IpAddress</span>
<span class="pill kill-chain">IpPort</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">LogonGuid</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">ServiceName</span>
<span class="pill kill-chain">ServiceSid</span>
<span class="pill kill-chain">Source_Port</span>
<span class="pill kill-chain">Source_Workstation</span>
<span class="pill kill-chain">Status</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">TargetDomainName</span>
<span class="pill kill-chain">TargetUserName</span>
<span class="pill kill-chain">Target_Domain</span>
<span class="pill kill-chain">Target_User_Name</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">TicketEncryptionType</span>
<span class="pill kill-chain">TicketOptions</span>
<span class="pill kill-chain">TransmittedServices</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_nt_domain</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">name</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">service</span>
<span class="pill kill-chain">service_id</span>
<span class="pill kill-chain">service_name</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_nt_host</span>
<span class="pill kill-chain">src_port</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">ta_windows_action</span>
<span class="pill kill-chain">ta_windows_status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_group</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Windows Event Log Security 4769
Description
Logs Kerberos service ticket requests, including details about the requesting user, target service, and client IP address.
Details
| Property | Value |
|---|---|
| Source | XmlWinEventLog:Security |
| Sourcetype | XmlWinEventLog |
| Separator | EventCode |
Related Detections
Supported Apps
- Splunk Add-on for Microsoft Windows (version 9.1.2)
Event Fields
Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-09T01:00:49.143003800Z'/><EventRecordID>148521</EventRecordID><Correlation/><Execution ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>AR-WIN-2$@ATTACKRANGE.LOCAL</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data Name='ServiceName'>AR-WIN-2$</Data><Data Name='ServiceSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x17</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>59191</Data><Data Name='Status'>0x0</Data><Data Name='LogonGuid'>{3b4ad75b-7184-6094-b975-ea3f91932ee0}</Data><Data Name='TransmittedServices'>-</Data></EventData></Event>
Required Output Fields
- dest
Source: GitHub | Version: 3