UBA : Possible TGT Forgery

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Possible TGT Forgery

Enabled by default

False

Default senseValue

15

Description

Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that are generated by using pass the ticket exploits.

Support rule

BB:UBA : Common Event Filters

Required configuration

Add the appropriate values to the following reference sets: UBA : Trusted Domains.

Log source types

Microsoft Windows Security Event Logs (EventID: 4768)