in(field="#windows.EventID", values=[4769,4768])
| TicketEnc := coalesce([windows.EventData.TicketEncryptionType])
| SessionKeyEnc := coalesce([windows.EventData.SessionKeyEncryptionType])
| case {
    #Windows.EventID = 4768 | RequestType := "AS";
    #Windows.EventID = 4769 | RequestType := "TGS";
    * | RequestType := "Unknown"
}
| case {
    SessionKeyEnc = "0x1"  | SessionKeyEncName := "DES-CRC";
    SessionKeyEnc = "0x3"  | SessionKeyEncName := "DES-MD5";
    SessionKeyEnc = "0x17" | SessionKeyEncName := "RC4";
    SessionKeyEnc = "0x11" | SessionKeyEncName := "AES128-SHA96";
    SessionKeyEnc = "0x12" | SessionKeyEncName := "AES256-SHA96";
    SessionKeyEnc = "0x13" | SessionKeyEncName := "AES128-SHA256";
    SessionKeyEnc = "0x14" | SessionKeyEncName := "AES256-SHA384";
    SessionKeyEnc = "0xFF" | SessionKeyEncName := "Unknown";
    *                      | SessionKeyEncName := "Unmapped"
}
| case {
    TicketEnc = "0x1"  | TicketEncName := "DES-CRC";
    TicketEnc = "0x3"  | TicketEncName := "DES-MD5";
    TicketEnc = "0x17" | TicketEncName := "RC4";
    TicketEnc = "0x11" | TicketEncName := "AES128-SHA96";
    TicketEnc = "0x12" | TicketEncName := "AES256-SHA96";
    TicketEnc = "0x13" | TicketEncName := "AES128-SHA256";
    TicketEnc = "0x14" | TicketEncName := "AES256-SHA384";
    TicketEnc = "0xFF" | TicketEncName := "Unknown";
    *                  | TicketEncName := "Unmapped"
}
| TicketEncName="RC4" OR SessionKeyEncName="RC4" OR TicketEncName="DES-CRC" OR SessionKeyEncName="DES-MD5" OR  TicketEncName="DES-CRC" OR SessionKeyEncName="DES-MD5"
| groupBy([
  "windows.EventData.TargetUserName",
  "windows.EventData.ServiceName",
  "windows.Computer",
  "windows.EventData.IpAddress",
  "TicketEncName",
  "SessionKeyEncName"
])
| sort()