Suspicious Kerberos Pre-Auth Failures by Host

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-05-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Spraying (T1110.003)

Severity

Low

Description

An endpoint failed unusual number of Kerberos pre-authentications (TGT requests) which may indicate a password-spraying attack.

Attacker's Goals

The attacker is attempting to gain an initial foothold in the domain using a list of valid users and a guessed password.

Investigative actions

  • Identify the source host from which the failed logons originated, by making sure the IP is not a shared address.
  • Review source host activity to detect any additional suspicious or lateral movement behavior.
  • Correlate successful logons from the source host to identify potential account compromises following the failed attempts.