UBA : TGT Ticket Used by Multiple Hosts

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : TGT Ticket Used by Multiple Hosts

Enabled by default

False

Default senseValue

15

Description

Detects Kerberos TGT ticket being used on two (or more) different computers.

Support rule

BB:UBA : Common Event Filters

UBA : Kerberos Account Mapping

This rule updates the associated reference sets with the required data.

Required configuration

Enable the following rules: "UBA : Kerberos Account Mapping"

Log source types

Microsoft Windows Security Event Log (EventID: 4768)