User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert?

Related account: krbtgt

Suspect account: domain user

Hosts related: DC, DirectAccess server with local NPS

Source host: domain user machine

I can use the above SID and exclude but I’m hesitant as TP alerts may automatically close. I’ve several alerts like these daily.

​User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert? Related account: krbtgtSuspect account: domain userHosts related: DC, DirectAccess server with local NPSSource host: domain user machine I can use the above SID and exclude but I’m hesitant as TP alerts may automatically close. I’ve several alerts like these daily.  Read More

​