4770 A Kerberos service ticket was renewed
Written when the KDC renews (reissues) an existing Kerberos service ticket. It is a supporting event that captures extension of a service ticket’s lifetime.
Overview
The subcategory is Audit Kerberos Service Ticket Operations. It is generated when a renewable service ticket is renewed within its validity. It is recorded on domain controllers. New issuance is 4769; renewal is distinguished as 4770.
How it is triggered
- When a client extends (renews) the validity of a service ticket it holds.
- It occurs routinely in long sessions and resident services.
Security review points
- Its standalone security meaning is limited. It is less directly tied to Kerberoasting than the new-request 4769, but you can check the encryption type (whether RC4) and target service the same way.
- Evaluate tickets renewed for an abnormally long time, or renewals by unexpected services/accounts, together with the new-request event.
Notes for log review
- It appears in volume from legitimate session continuation. Primarily watch 4769 and treat 4770 as a supplement.
- Use it within the Kerberos sequence (4768 then 4769 then 4770) to understand ticket lifetime and renewal flow.
Key fields
| Field | Meaning |
|---|---|
Account Name | The account that renewed the ticket |
Service Name | The target service (SPN) |
Ticket Encryption Type | The encryption type |