This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

dataset xdr_data field auth_outcome_reason codes table

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

dataset xdr_data field auth_outcome_reason codes table

atschopp
L0 Member

‎05-06-2026 05:26 AM

we often see entries in dataset xdr_data where auth_outcome = "FAILURE" and auth_outcome_reason contains a code number (e.g. 14, 18, 25, …). It seems that these codes are PAN internal and I could not find a table explaining where these codes come from and what they mean. Does anybody know the explanation of these codes? Thanks

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎05-11-2026 07:49 AM

Hello @atschopp ,

 

Greetings for the day.

 

The numeric codes found in the auth_outcome_reason field of the xdr_data dataset are typically system identifiers derived from the Cortex XDR Agent's Deep Packet Inspection (DPI) engine. While there is currently no official, comprehensive human-readable mapping table for every code (as they are considered internal/proprietary and subject to change), many of these codes correspond to standard protocol error definitions, specifically Kerberos (KRB) error codes.

Known Code Mappings:

Based on documented behavior and support cases, the following translations are identified:

  • Code 18
    Corresponds to Kerberos error 0x12 (KDC_ERR_CLIENT_REVOKED).
    This typically triggers alerts related to:
    • Failed Login For Locked-Out Account
  • Code 7
    Indicates an authentication failure related to Kerberos Ticket Granting Service (TGS) failures.
  • Code 6
    Corresponds to:
    • Client not found in Kerberos Database
    • Principal Unknown
  • General Windows Errors
    If the codes refer to Windows-specific errors in low-level logs, the agent typically records them in decimal format. To identify the meaning in Microsoft documentation, convert the decimal value to hexadecimal.

Troubleshooting & Identifying Undocumented Codes:

If you encounter undocumented values such as 14 or 25, the recommended approach is to query the raw dataset for additional protocol-level context.

Use the following XQL query to review the underlying Kerberos-related data:

dataset = xdr_data
| filter event_type = 102 and auth_outcome_reason != null
| fields krb_tgs_data, auth_outcome_reason, actor_process_username, krb_error_code, * 
| sort by _time

Best Practices:

Use XQL Auto-Completion:

Instead of filtering directly by numeric IDs, use the human-readable field values and suggestions provided by the XQL query builder auto-completion feature.

Cross-Reference Standard Protocol Documentation:

For codes not explicitly documented in Cortex XDR references, compare the numeric values against:

  • Kerberos RFC error definitions
  • Windows logon failure codes
  • Microsoft security event documentation

Engage Your Account Team: 

If you require clarification for proprietary or undocumented logic associated with internal authentication codes, contact your Sales Engineer (SE) or Customer Success representative for advanced guidance.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 169 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks