dataset xdr_data field auth_outcome_reason codes table

atschopp — Wed, 06 May 2026 12:26:09 GMT

we often see entries in dataset xdr_data where auth_outcome = "FAILURE" and auth_outcome_reason contains a code number (e.g. 14, 18, 25, …). It seems that these codes are PAN internal and I could not find a table explaining where these codes come from and what they mean. Does anybody know the explanation of these codes? Thanks

Re: dataset xdr_data field auth_outcome_reason codes table

susekar — Mon, 11 May 2026 14:49:01 GMT

Hello @atschopp ,

Greetings for the day.

The numeric codes found in the auth_outcome_reason field of the xdr_data dataset are typically system identifiers derived from the Cortex XDR Agent's Deep Packet Inspection (DPI) engine. While there is currently no official, comprehensive human-readable mapping table for every code (as they are considered internal/proprietary and subject to change), many of these codes correspond to standard protocol error definitions, specifically Kerberos (KRB) error codes.

Known Code Mappings:

Based on documented behavior and support cases, the following translations are identified:

Code 18
Corresponds to Kerberos error 0x12 (KDC_ERR_CLIENT_REVOKED).
This typically triggers alerts related to:
- Failed Login For Locked-Out Account
Code 7
Indicates an authentication failure related to Kerberos Ticket Granting Service (TGS) failures.
Code 6
Corresponds to:
- Client not found in Kerberos Database
- Principal Unknown
General Windows Errors
If the codes refer to Windows-specific errors in low-level logs, the agent typically records them in decimal format. To identify the meaning in Microsoft documentation, convert the decimal value to hexadecimal.

Troubleshooting & Identifying Undocumented Codes:

If you encounter undocumented values such as 14 or 25, the recommended approach is to query the raw dataset for additional protocol-level context.

Use the following XQL query to review the underlying Kerberos-related data:

dataset = xdr_data
| filter event_type = 102 and auth_outcome_reason != null
| fields krb_tgs_data, auth_outcome_reason, actor_process_username, krb_error_code, * 
| sort by _time

Best Practices:

Use XQL Auto-Completion:

Instead of filtering directly by numeric IDs, use the human-readable field values and suggestions provided by the XQL query builder auto-completion feature.

Cross-Reference Standard Protocol Documentation:

For codes not explicitly documented in Cortex XDR references, compare the numeric values against:

Kerberos RFC error definitions
Windows logon failure codes
Microsoft security event documentation

Engage Your Account Team:

If you require clarification for proprietary or undocumented logic associated with internal authentication codes, contact your Sales Engineer (SE) or Customer Success representative for advanced guidance.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: dataset xdr_data field auth_outcome_reason codes table in Cortex XDR Discussions