Custom rule (local_rules.xml) not working consistently - Windows event ID 4768

[Dennis Johnson]

Hi,

I am having issues using custom rules to capture Windows event ID's. Specifically, I want to capture Windows event ID 4768 related to Kerberos authentication and have it categorized as "Windows logon success" - rule ID 60106. I found this article where another user was trying to accomplish the same thing:

https://groups.google.com/g/wazuh/c/qFKh9pjvXZU?pli=1

I followed the instructions of this article, also having read the manual on customizing rules (https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule), but am not getting consistent results. I am logging certain instances of 4768, but not ones that I am intentionally generating through logging in with my own account. I verified I see my logon (4768) on the domain controller, but it does not show up in the Wazuh logs. 

Odd thing is I added a second custom rule that adds event ID 4771 to rule ID 60105 related to "Windows logon failure" and that one appears to work fine when I purposely type my password incorrectly.

Here are my custom rules added to /var/ossec/etc/rules/local_rules.xml

Here is a sample 4768 event that does appear in my logs:

Here is the one that does not show up - my account that I am trying to log.

The only thing I noticed is that the 4768 logs that do show up all have the Client Address (data.win.eventdata.ipAddress) set to ::1. The logs I am trying to get to show up have a Client Address of remote systems.

[Piotr]

Hi Dennis,

are those examples you've provided exactly the same type? Maybe one of them is '4768 success' and the other one is '4768 failure'?

In that case 4768 Success is linked to rule 60103 (that you have already done) but 4768 Failure should be linked to rule 60104 which is not done on screen you placed ;)

Piotr

[Dennis Johnson]

They are both 4768 Audit Success.

The differences between the two events:

- Different date/timestamp

- Different user accounts

- Different Ticket Options

- Different Client Address and Client Port

[Ifeanyi Onyia Odike]

Hi Dennis,

Thank you for using Wazuh!
Can you share both logs for this? You can exclude sensitive information such as IP addresses.

BR,

[Dennis Johnson]

Can you clarify which format you want the logs in? I have screenshots of the 2 logs in my first post. I can get the XML output - or something else if you want.

[Ifeanyi Onyia Odike]

Yes, the same as the screenshots, but this time copy and paste it here.

[Dennis Johnson]

EVENT THAT DOES NOT SHOW UP

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-03-28T23:26:35.665923600Z" />
<EventRecordID>30688262</EventRecordID>
<Correlation />
<Execution ProcessID="636" ThreadID="4732" />
<Channel>Security</Channel>
<Computer>DC.domain.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">testuser</Data>
<Data Name="TargetDomainName">DOMAIN.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-4199703994-660692394-3919416683-1105</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-4199703994-660692394-3919416683-502</Data>
<Data Name="TicketOptions">0x50000010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">192.168.4.201</Data>
<Data Name="IpPort">39582</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>


EVENT THAT DOES SHOW UP

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-03-28T21:54:49.612352400Z" />
<EventRecordID>30686734</EventRecordID>
<Correlation />
<Execution ProcessID="636" ThreadID="2136" />
<Channel>Security</Channel>
<Computer>DC.domain.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">DOMAIN.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-4199703994-660692394-3919416683-500</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-4199703994-660692394-3919416683-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>

[Ifeanyi Onyia Odike]

Hi Dennis,

Thanks for your response. I will need some time to simulate this event before I can respond.

I will talk about this with my team and hopefully, respond by Monday.

[Ifeanyi Onyia Odike]

Hi Dennis,

Apologies for the late response.

I have tried to critically look at this issue without success. This has been primarily due to setting up an AD lab environment to replicate your scenario.

I should be able to detect the flaw if it exists from the decoder, but I will need the json log for this event. You can help me with this by temporarily activating the archive log from the Wazuh servers /var/ossec/etc/ossec.conf file:

    <logall_json>no</logall_json>

to

    <logall_json>yes</logall_json>

performing the action, and copying the json log for the event that shows and the one that does not show.

Once you have done this, please paste both json logs here for me to test.

Many thanks in anticipation.

Regards,

[Dennis Johnson]

THIS LOG DOES NOT SHOW UP IN WAZUH DASHBOARD

{"timestamp":"2023-04-06T04:48:37.167+0000","agent":{"id":"001","name":"DC1","ip":"192.168.4.89"},"manager":{"name":"wazuh"},"id":"1680756517.22243426","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4768\",\"version\":\"0\",\"level\":\"0\",\"task\":\"14339\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-04-06T04:48:36.177656700Z\",\"eventRecordID\":\"30879856\",\"processID\":\"624\",\"threadID\":\"1552\",\"channel\":\"Security\",\"computer\":\"DC1.domain.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tdennis\\r\\n\\tSupplied Realm Name:\\tdomain.local\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-4199703994-660692394-3919416683-1105\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-4199703994-660692394-3919416683-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t192.168.4.100\\r\\n\\tClient Port:\\t\\t59055\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x50000010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"dennis\",\"targetDomainName\":\"domain.local\",\"targetSid\":\"S-1-5-21-4199703994-660692394-3919416683-1105\",\"serviceName\":\"krbtgt\",\"serviceSid\":\"S-1-5-21-4199703994-660692394-3919416683-502\",\"ticketOptions\":\"0x50000010\",\"status\":\"0x0\",\"ticketEncryptionType\":\"0x12\",\"preAuthType\":\"2\",\"ipAddress\":\"192.168.4.100\",\"ipPort\":\"59055\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:36.177656700Z","eventRecordID":"30879856","processID":"624","threadID":"1552","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdennis\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-1105\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t192.168.4.100\r\n\tClient Port:\t\t59055\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x50000010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"dennis","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-1105","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x50000010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"192.168.4.100","ipPort":"59055"}}},"location":"EventChannel"}


THIS LOG DOES SHOW UP IN WAZUH DASHBOARD

{"timestamp":"2023-04-06T04:48:09.401+0000","rule":{"level":3,"description":"Windows logon success.","id":"60106","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"DC1","ip":"192.168.4.89"},"manager":{"name":"wazuh"},"id":"1680756489.22095540","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4768\",\"version\":\"0\",\"level\":\"0\",\"task\":\"14339\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-04-06T04:48:09.084929600Z\",\"eventRecordID\":\"30879832\",\"processID\":\"624\",\"threadID\":\"5668\",\"channel\":\"Security\",\"computer\":\"DC1.domain.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tAdministrator\\r\\n\\tSupplied Realm Name:\\tdomain.local\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-4199703994-660692394-3919416683-500\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-4199703994-660692394-3919416683-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t::1\\r\\n\\tClient Port:\\t\\t0\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x40810010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"Administrator\",\"targetDomainName\":\"domain.local\",\"targetSid\":\"S-1-5-21-4199703994-660692394-3919416683-500\",\"serviceName\":\"krbtgt\",\"serviceSid\":\"S-1-5-21-4199703994-660692394-3919416683-502\",\"ticketOptions\":\"0x40810010\",\"status\":\"0x0\",\"ticketEncryptionType\":\"0x12\",\"preAuthType\":\"2\",\"ipAddress\":\"::1\",\"ipPort\":\"0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:09.084929600Z","eventRecordID":"30879832","processID":"624","threadID":"5668","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tAdministrator\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-500\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"Administrator","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-500","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x40810010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"::1","ipPort":"0"}}},"location":"EventChannel"}

One commonality I notice is that the only instances of event ID 4768 that show up in Wazuh have an event IP address of ::1

[Ifeanyi Onyia Odike]

Hi Dennis,

I have run both logs through the Wazuh logtest and I have found some differences in the ways both logs are decoded.
This may well be a decoder issue, I will need some time to identify it specifically.

[Ifeanyi Onyia Odike]

Hi Dennis,

The first log that does not show in your dashboard gets decoded in my instance of Wazuh. Which means it should show in yours.

Can you copy and paste the first log to your running /var/ossec/bin/wazuh-logtest ?

Then see if it gets decoded.

BR,

[Dennis Johnson]

This is the log I want to show up in Wazuh dashboard:

=======================================

{"timestamp":"2023-04-06T04:48:37.167+0000","agent":{"id":"001","name":"DC1","ip":"192.168.4.89"},"manager":{"name":"wazuh"},"id":"1680756517.22243426","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4768\",\"version\":\"0\",\"level\":\"0\",\"task\":\"14339\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-04-06T04:48:36.177656700Z\",\"eventRecordID\":\"30879856\",\"processID\":\"624\",\"threadID\":\"1552\",\"channel\":\"Security\",\"computer\":\"DC1.domain.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tdennis\\r\\n\\tSupplied Realm Name:\\tdomain.local\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-4199703994-660692394-3919416683-1105\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-4199703994-660692394-3919416683-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t192.168.4.100\\r\\n\\tClient Port:\\t\\t59055\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x50000010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"dennis\",\"targetDomainName\":\"domain.local\",\"targetSid\":\"S-1-5-21-4199703994-660692394-3919416683-1105\",\"serviceName\":\"krbtgt\",\"serviceSid\":\"S-1-5-21-4199703994-660692394-3919416683-502\",\"ticketOptions\":\"0x50000010\",\"status\":\"0x0\",\"ticketEncryptionType\":\"0x12\",\"preAuthType\":\"2\",\"ipAddress\":\"192.168.4.100\",\"ipPort\":\"59055\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:36.177656700Z","eventRecordID":"30879856","processID":"624","threadID":"1552","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdennis\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-1105\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t192.168.4.100\r\n\tClient Port:\t\t59055\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x50000010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"dennis","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-1105","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x50000010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"192.168.4.100","ipPort":"59055"}}},"location":"EventChannel"}

=======================================

When I run this through the logtest - I get the following results:

=======================================

Starting wazuh-logtest v4.4.0
Type one log per line

{"timestamp":"2023-04-06T04:48:37.167+0000","agent":{"id":"001","name":"DC1","ip":"192.168.4.89"},"manager":{"name":"wazuh"},"id":"1680756517.22243426","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4768\",\"version\":\"0\",\"level\":\"0\",\"task\":\"14339\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-04-06T04:48:36.177656700Z\",\"eventRecordID\":\"30879856\",\"processID\":\"624\",\"threadID\":\"1552\",\"channel\":\"Security\",\"computer\":\"DC1.domain.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tdennis\\r\\n\\tSupplied Realm Name:\\tdomain.local\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-4199703994-660692394-3919416683-1105\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-4199703994-660692394-3919416683-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t192.168.4.100\\r\\n\\tClient Port:\\t\\t59055\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x50000010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"dennis\",\"targetDomainName\":\"domain.local\",\"targetSid\":\"S-1-5-21-4199703994-660692394-3919416683-1105\",\"serviceName\":\"krbtgt\",\"serviceSid\":\"S-1-5-21-4199703994-660692394-3919416683-502\",\"ticketOptions\":\"0x50000010\",\"status\":\"0x0\",\"ticketEncryptionType\":\"0x12\",\"preAuthType\":\"2\",\"ipAddress\":\"192.168.4.100\",\"ipPort\":\"59055\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:36.177656700Z","eventRecordID":"30879856","processID":"624","threadID":"1552","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdennis\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-1105\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t192.168.4.100\r\n\tClient Port:\t\t59055\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x50000010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"dennis","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-1105","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x50000010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"192.168.4.100","ipPort":"59055"}}},"location":"EventChannel"}

**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2023-04-06T04:48:37.167+0000","agent":{"id":"001","name":"DC1","ip":"192.168.4.89"},"manager":{"name":"wazuh"},"id":"1680756517.22243426","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4768\",\"version\":\"0\",\"level\":\"0\",\"task\":\"14339\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-04-06T04:48:36.177656700Z\",\"eventRecordID\":\"30879856\",\"processID\":\"624\",\"threadID\":\"1552\",\"channel\":\"Security\",\"computer\":\"DC1.domain.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A Kerberos authentication ticket (TGT) was requested.\\r\\n\\r\\nAccount Information:\\r\\n\\tAccount Name:\\t\\tdennis\\r\\n\\tSupplied Realm Name:\\tdomain.local\\r\\n\\tUser ID:\\t\\t\\tS-1-5-21-4199703994-660692394-3919416683-1105\\r\\n\\r\\nService Information:\\r\\n\\tService Name:\\t\\tkrbtgt\\r\\n\\tService ID:\\t\\tS-1-5-21-4199703994-660692394-3919416683-502\\r\\n\\r\\nNetwork Information:\\r\\n\\tClient Address:\\t\\t192.168.4.100\\r\\n\\tClient Port:\\t\\t59055\\r\\n\\r\\nAdditional Information:\\r\\n\\tTicket Options:\\t\\t0x50000010\\r\\n\\tResult Code:\\t\\t0x0\\r\\n\\tTicket Encryption Type:\\t0x12\\r\\n\\tPre-Authentication Type:\\t2\\r\\n\\r\\nCertificate Information:\\r\\n\\tCertificate Issuer Name:\\t\\t\\r\\n\\tCertificate Serial Number:\\t\\r\\n\\tCertificate Thumbprint:\\t\\t\\r\\n\\r\\nCertificate information is only provided if a certificate was used for pre-authentication.\\r\\n\\r\\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\\\"\"},\"eventdata\":{\"targetUserName\":\"dennis\",\"targetDomainName\":\"domain.local\",\"targetSid\":\"S-1-5-21-4199703994-660692394-3919416683-1105\",\"serviceName\":\"krbtgt\",\"serviceSid\":\"S-1-5-21-4199703994-660692394-3919416683-502\",\"ticketOptions\":\"0x50000010\",\"status\":\"0x0\",\"ticketEncryptionType\":\"0x12\",\"preAuthType\":\"2\",\"ipAddress\":\"192.168.4.100\",\"ipPort\":\"59055\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:36.177656700Z","eventRecordID":"30879856","processID":"624","threadID":"1552","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdennis\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-1105\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t192.168.4.100\r\n\tClient Port:\t\t59055\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x50000010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"dennis","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-1105","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x50000010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"192.168.4.100","ipPort":"59055"}}},"location":"EventChannel"}'

**Phase 2: Completed decoding.
name: 'json'
agent.id: '001'
agent.ip: '192.168.4.89'
agent.name: 'DC1'
data.win.eventdata.ipAddress: '192.168.4.100'
data.win.eventdata.ipPort: '59055'
data.win.eventdata.preAuthType: '2'
data.win.eventdata.serviceName: 'krbtgt'
data.win.eventdata.serviceSid: 'S-1-5-21-4199703994-660692394-3919416683-502'
data.win.eventdata.status: '0x0'
data.win.eventdata.targetDomainName: 'domain.local'
data.win.eventdata.targetSid: 'S-1-5-21-4199703994-660692394-3919416683-1105'
data.win.eventdata.targetUserName: 'dennis'
data.win.eventdata.ticketEncryptionType: '0x12'
data.win.eventdata.ticketOptions: '0x50000010'
data.win.system.channel: 'Security'
data.win.system.computer: 'DC1.domain.local'
data.win.system.eventID: '4768'
data.win.system.eventRecordID: '30879856'
data.win.system.keywords: '0x8020000000000000'
data.win.system.level: '0'
data.win.system.message: '"A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: dennis
Supplied Realm Name: domain.local
User ID: S-1-5-21-4199703994-660692394-3919416683-1105

Service Information:
Service Name: krbtgt
Service ID: S-1-5-21-4199703994-660692394-3919416683-502

Network Information:
Client Address: 192.168.4.100
Client Port: 59055

Additional Information:
Ticket Options: 0x50000010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."'
data.win.system.opcode: '0'
data.win.system.processID: '624'
data.win.system.providerGuid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
data.win.system.providerName: 'Microsoft-Windows-Security-Auditing'
data.win.system.severityValue: 'AUDIT_SUCCESS'
data.win.system.systemTime: '2023-04-06T04:48:36.177656700Z'
data.win.system.task: '14339'
data.win.system.threadID: '1552'
data.win.system.version: '0'
decoder.name: 'windows_eventchannel'
full_log: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4768","version":"0","level":"0","task":"14339","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-04-06T04:48:36.177656700Z","eventRecordID":"30879856","processID":"624","threadID":"1552","channel":"Security","computer":"DC1.domain.local","severityValue":"AUDIT_SUCCESS","message":"\"A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdennis\r\n\tSupplied Realm Name:\tdomain.local\r\n\tUser ID:\t\t\tS-1-5-21-4199703994-660692394-3919416683-1105\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-4199703994-660692394-3919416683-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t192.168.4.100\r\n\tClient Port:\t\t59055\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x50000010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.\""},"eventdata":{"targetUserName":"dennis","targetDomainName":"domain.local","targetSid":"S-1-5-21-4199703994-660692394-3919416683-1105","serviceName":"krbtgt","serviceSid":"S-1-5-21-4199703994-660692394-3919416683-502","ticketOptions":"0x50000010","status":"0x0","ticketEncryptionType":"0x12","preAuthType":"2","ipAddress":"192.168.4.100","ipPort":"59055"}}}'
id: '1680756517.22243426'
location: 'EventChannel'
manager.name: 'wazuh'
timestamp: '2023-04-06T04:48:37.167+0000'

=======================================

It seems to parse correctly - it just doesn't show up in Wazuh Dashboard.

[Ifeanyi Onyia Odike]

Hi Dennis

How about OpenSearch events?

Can you check to see if it shows up there?

You can filter using the IP address.

BR,

[Dennis Johnson]

No, the event does not show up in OpenSearch either.

[Ifeanyi Onyia Odike]

Hi Dennis,

I haven't had much luck troubleshooting this issue since this is not something I have ever encountered. All logs usually show up at least on Opensearch's dashboard.
We could create a separate rule and observe.

Do you have the ability to create a custom rule using the same event ID?

[Dennis Johnson]

I have a custom rule in place already for capturing this event ID. If you look at my first post in this thread, I created a custom rule to capture 4768.

I'm happy to create a different rule and/or remove my current custom rule - whatever you think I should try.

[Ifeanyi Onyia Odike]

I think having a custom rule should suffice for anyone with a similar issue in the future.

This thread will be kept for reference.

[Dennis Johnson]

So what is the next step for troubleshooting?

Should we start over from scratch and rebuild a new custom rule to collect event ID 4768?