Kerberos Pre-Auth Failures by User and Host

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force (T1110)

Severity

Informational

Description

The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times.
This can indicate a Kerberos brute-force attack.

Attacker's Goals

The attacker is attempting to guess the credentials for the user account.

Investigative actions

  • Verify that the password for the account has not been changed recently, without updating the user or the program using it.
  • Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.