I have recently analysed Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I’ve been digging into logs to figure this out, but I’m starting to think the reason was staring me in the face.

I’m no expert on this type of alert, but what I’ve understood is host B steals host A’s Kerberos ticket to access network resources. However, I believe Identity Protection has misidentified an IP address as a hostname. Looking forward to any opinions:

​I have recently analysed Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I’ve been digging into logs to figure this out, but I’m starting to think the reason was staring me in the face.I’m no expert on this type of alert, but what I’ve understood is host B steals host A’s Kerberos ticket to access network resources. However, I believe Identity Protection has misidentified an IP address as a hostname. Looking forward to any opinions:  Read More

​