UBA : Possible TGT Forgery
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Possible TGT Forgery
Enabled by default
False
Default senseValue
15
Description
Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that are generated by using pass the ticket exploits.
Support rule
BB:UBA : Common Event Filters
Required configuration
Add the appropriate values to the following reference sets: UBA : Trusted Domains.
Log source types
Microsoft Windows Security Event Logs (EventID: 4768)