deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #7032 from RAJU2529/patch-71

Browse Source 
added link for Security Monitoring Recommendations
This commit is contained in:
Marty Hernandez Avedon
2020-06-30 11:03:50 -04:00
committed by GitHub
parent d5b54c3a24 4c451fa145
commit 7b186f0ec8
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -31,7 +31,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@ -42,4 +42,3 @@ This subcategory contains events about issued TGSs and failed TGS requests.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
- [4773](event-4773.md)(F): A Kerberos service ticket request failed.