Possible Kerberos User Enumeration

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-03-10

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Account Discovery: Domain Account (T1087.002)
Severity	Informational

Description

Multiple Kerberos TGT requests with KDC_ERR_C_PRINCIPAL_UNKNOWN errors were generated on different users in the last 10 minutes which may indicate Kerberos user enumeration.

Attacker's Goals

The attacker may attempt to gain an initial foothold in the domain by enumerating users.

Investigative actions

Identify the source host from which the failed logons originated, by making sure the IP is not a shared address.
Check the host from which the errors originated, and verify the legitimacy of the TGT requests.
Correlate successful logons from the source host to identify potential account compromises following the failed attempts.
Review source host activity to detect any additional suspicious or lateral movement behavior.

Variations

Possible Kerberos User Enumeration Involving Exposed Users