UBA : Multiple Kerberos Authentication Failures from Same User

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Multiple Kerberos Authentication Failures from Same User

Enabled by default

False

Default senseValue

15

Description

Detects multiple Kerberos authentication ticket rejections or failures.

Support rules

  • BB:UBA : Common Log Source Filters
  • BB:UBA : Kerberos Authentication Failures

Required configuration

Enable Search assets for username, when username is not available for event or flow data in Admin Settings > UBA Settings.

Log source types

Microsoft Windows Security Event Log (EventID: 4768, 4771)