4768 - Client IP Parsing in SIEM Expand / Collapse
Author
Message
Posted 5/14/2020 9:40:16 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/25/2020 8:09:09 AM
Posts: 3, Visits: 3
Hey,
we implement a WEC Infrastructure and a SIEM. At the moment I am looking into depth of the Windows Events.

I take every subcategory and look into the Events and if the Information is parsed correctly into the Fields in SIEM.

For the category 'Kerberos Authentication Service' (EVENT IDs: 4768, 4771, 47721 ,4820) everything looks fine for me, except the IP Adress mapping. It is parsed out correctly but is mapped to the DEST_IP (destination IP) field and not to the SRC_IP (Source IP) field.

My first intent is: that couldn't be the correct mapping. Becaus if i want to know which client is producing SUCCESS or FAILURE Events, i would search for SRC_IP.

BUT if i had a look into the Kerberos Process I'm not 100% sure, if i'm right with this.
What do you think?

Additionally:
If i look into the category 'Kerberos Service Ticket Operations' with EVENT IDs 4769, 4770, 4773, the Client IP is mapped to the Source IP Field.

I hope you understand my question. If you need any Details, please contact via the Forum or PN.

Thank you.
Greyland.
Post #8637
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:44pm