UEBA : TGT Ticket Used by Multiple Hosts
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UEBA : TGT Ticket Used by Multiple Hosts
Enabled by default
False
Default senseValue
15
Default senseValueSource
10
Default senseValueDestination
5
Description
Detects Kerberos TGT ticket being used on two (or more) different computers.
Support rule
BB:UBA : Common Event Filters
UBA : Kerberos Account Mapping
This rule updates the associated reference sets with the required data.
Required configuration
Enable the following rules: "UBA : Kerberos Account Mapping"
Log source types
Microsoft Windows Security Event Log (EventID: 4768)