Sudden disappearance of Windows Event 4768 following March 2017 MS Patches
I noticed that our domain controllers were no longer sending Security event 4768 (Kerberos authentication ticket was requested) following March 2017 Microsoft patches (e.g. KB4012213 or KB4012216). It seems as if Microsoft may have moved this event to a different audit policy that we had not enabled in our environment. Enabling Account Logon: Kerberos Service Ticket Operations resolved the issue - and indeed this seems like the most logical policy to associate with event 4768 CORRECTION: The "Other Account Logon Events" Subcategory resolved the issue. Perhaps this was formerly tied to the Account Logon: Kerberos Authentication Service policy category.
When I did a cursory Google search on this issue I found only one relevant discussion (reddit).
Did anyone else notice this change? Has Microsoft documented this change (if they did, we didn't notice in the release notes)?
It was actually the subcategory "Other Account Logon Events" and not "Kerberos Service Ticket Operations"
This setting can be found in group policy located under Computer Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Account Logon.