https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246750#M9058 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1394400413">@EMARTINS BERNARDES</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P><SPAN>Cortex XSIAM primarily addresses&nbsp;</SPAN><STRONG>Pass-the-Ticket (PtT)</STRONG><SPAN>&nbsp;attacks through its built-in&nbsp;</SPAN><STRONG>Identity Analytics</STRONG><SPAN>&nbsp;engine rather than requiring a manual correlation rule from scratch. This approach is generally more effective as it leverages baselining and multi-host behavior that is difficult to capture in a static query.</SPAN></P> <P>&nbsp;</P> <H4>1. Ready-Made Analytics Detector</H4> <P>Cortex XSIAM includes a dedicated out-of-the-box (OOTB) detector for this technique:</P> <UL> <LI> <P><STRONG>Detector Name:</STRONG> Possible TGT reuse from different hosts (pass the ticket)</P> </LI> <LI> <P><STRONG>Alert ID:</STRONG> ID-4604</P> </LI> <LI> <P><STRONG>Detection Logic:</STRONG><BR />This detector triggers when the system observes two different hosts sending a Ticket Granting Service (TGS) request using the same Ticket Granting Ticket (TGT).</P> </LI> <LI> <P><STRONG>MITRE ATT&amp;CK Mapping:</STRONG></P> <UL> <LI> <P>Lateral Movement (TA0008)</P> </LI> <LI> <P>Use Alternate Authentication Material: Pass the Ticket (T1550.003)</P> </LI> </UL> </LI> </UL> <P>Internal logs may also show an alert titled <STRONG>“Pass-The-Ticket Attack Detected”</STRONG>, mapped to <STRONG>MITRE T1550</STRONG>, in environments where <STRONG>Identity Threat Detection and Response (ITDR)</STRONG> is enabled.</P> <H4>2. Essential Configuration and Prerequisites</H4> <P>To ensure these ready-made detections function correctly, verify the following configurations:</P> <UL> <LI> <P><STRONG>Enable Identity Analytics:</STRONG><BR />Navigate to <STRONG>Settings → Configurations → Cortex Analytics</STRONG> and confirm that <STRONG>Identity Analytics</STRONG> is enabled under the <EM>Featured in Analytics</EM> section.</P> </LI> <LI> <P><STRONG>Cloud Identity Engine (CIE) Synchronization:</STRONG><BR />A successful synchronization with CIE is required to provide the Active Directory context necessary for identity-based correlations.</P> </LI> <LI> <P><STRONG>Agent Deployment:</STRONG><BR />The detector relies on telemetry collected by the <STRONG>Cortex XDR Agent</STRONG> deployed on endpoints and domain controllers.</P> </LI> </UL> <H4>3. Logic Ideas for Custom Correlation Rules</H4> <P>If you choose to create a custom rule, effective logic typically focuses on anomalies in Kerberos-related events (Event IDs <STRONG>4768</STRONG>, <STRONG>4769</STRONG>, <STRONG>4624</STRONG>). Key patterns to consider include:</P> <UL> <LI> <P><STRONG>Mismatched Source IPs:</STRONG><BR />Detect scenarios where a Kerberos ticket is requested from one IP address but later used from another.</P> </LI> <LI> <P><STRONG>Suspicious Encryption Types:</STRONG><BR />Monitor for Kerberos tickets using weak or deprecated encryption, such as <STRONG>RC4 (encryption type 0x17)</STRONG>. XSIAM already tracks related anomalies through detections focused on weakly encrypted Kerberos responses, which may indicate credential manipulation or Skeleton Key activity.</P> </LI> <LI> <P><STRONG>Unusual Process Access:</STRONG><BR />In Windows environments, Pass-the-Ticket attacks often involve tools accessing <STRONG>LSASS</STRONG> process memory. Custom BIOCs can be used to detect suspicious memory access patterns or credential-dumping tools before the ticket is reused.</P> </LI> </UL> <H4>4. Verifying Coverage</H4> <P>To confirm whether your environment is already protected:</P> <UL> <LI> <P>Review the <STRONG>Cortex XSIAM Analytics Alert Reference</STRONG> to see the latest centrally managed multi-event rules.</P> </LI> <LI> <P>Check the <STRONG>MITRE ATT&amp;CK Framework Coverage</STRONG> dashboard in the console to identify techniques with active OOTB detection.</P> </LI> <LI> <P>If using <STRONG>XQL</STRONG> for custom analytics, ensure queries are built against the <STRONG>xdr_data</STRONG> or <STRONG>microsoft_windows_raw</STRONG> datasets.</P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Jan 2026 22:01:59 GMT susekar 2026-01-27T22:01:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246747#M9057 <P>Hi guys,&nbsp;</P> <DIV> <P>I’d like to know if anyone already has a detection rule configured in <STRONG>XSIAM correlation</STRONG> for a <STRONG>Pass‑the‑Ticket attack</STRONG>.<BR />I’m building a rule from scratch, but it’s not as effective as I’d like.</P> <P>If anyone has a ready‑made rule or some solid ideas and can share them, it would greatly speed up the process.</P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> Tue, 27 Jan 2026 19:04:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246747#M9057 EMARTINS BERNARDES 2026-01-27T19:04:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246750#M9058 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1394400413">@EMARTINS BERNARDES</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P><SPAN>Cortex XSIAM primarily addresses&nbsp;</SPAN><STRONG>Pass-the-Ticket (PtT)</STRONG><SPAN>&nbsp;attacks through its built-in&nbsp;</SPAN><STRONG>Identity Analytics</STRONG><SPAN>&nbsp;engine rather than requiring a manual correlation rule from scratch. This approach is generally more effective as it leverages baselining and multi-host behavior that is difficult to capture in a static query.</SPAN></P> <P>&nbsp;</P> <H4>1. Ready-Made Analytics Detector</H4> <P>Cortex XSIAM includes a dedicated out-of-the-box (OOTB) detector for this technique:</P> <UL> <LI> <P><STRONG>Detector Name:</STRONG> Possible TGT reuse from different hosts (pass the ticket)</P> </LI> <LI> <P><STRONG>Alert ID:</STRONG> ID-4604</P> </LI> <LI> <P><STRONG>Detection Logic:</STRONG><BR />This detector triggers when the system observes two different hosts sending a Ticket Granting Service (TGS) request using the same Ticket Granting Ticket (TGT).</P> </LI> <LI> <P><STRONG>MITRE ATT&amp;CK Mapping:</STRONG></P> <UL> <LI> <P>Lateral Movement (TA0008)</P> </LI> <LI> <P>Use Alternate Authentication Material: Pass the Ticket (T1550.003)</P> </LI> </UL> </LI> </UL> <P>Internal logs may also show an alert titled <STRONG>“Pass-The-Ticket Attack Detected”</STRONG>, mapped to <STRONG>MITRE T1550</STRONG>, in environments where <STRONG>Identity Threat Detection and Response (ITDR)</STRONG> is enabled.</P> <H4>2. Essential Configuration and Prerequisites</H4> <P>To ensure these ready-made detections function correctly, verify the following configurations:</P> <UL> <LI> <P><STRONG>Enable Identity Analytics:</STRONG><BR />Navigate to <STRONG>Settings → Configurations → Cortex Analytics</STRONG> and confirm that <STRONG>Identity Analytics</STRONG> is enabled under the <EM>Featured in Analytics</EM> section.</P> </LI> <LI> <P><STRONG>Cloud Identity Engine (CIE) Synchronization:</STRONG><BR />A successful synchronization with CIE is required to provide the Active Directory context necessary for identity-based correlations.</P> </LI> <LI> <P><STRONG>Agent Deployment:</STRONG><BR />The detector relies on telemetry collected by the <STRONG>Cortex XDR Agent</STRONG> deployed on endpoints and domain controllers.</P> </LI> </UL> <H4>3. Logic Ideas for Custom Correlation Rules</H4> <P>If you choose to create a custom rule, effective logic typically focuses on anomalies in Kerberos-related events (Event IDs <STRONG>4768</STRONG>, <STRONG>4769</STRONG>, <STRONG>4624</STRONG>). Key patterns to consider include:</P> <UL> <LI> <P><STRONG>Mismatched Source IPs:</STRONG><BR />Detect scenarios where a Kerberos ticket is requested from one IP address but later used from another.</P> </LI> <LI> <P><STRONG>Suspicious Encryption Types:</STRONG><BR />Monitor for Kerberos tickets using weak or deprecated encryption, such as <STRONG>RC4 (encryption type 0x17)</STRONG>. XSIAM already tracks related anomalies through detections focused on weakly encrypted Kerberos responses, which may indicate credential manipulation or Skeleton Key activity.</P> </LI> <LI> <P><STRONG>Unusual Process Access:</STRONG><BR />In Windows environments, Pass-the-Ticket attacks often involve tools accessing <STRONG>LSASS</STRONG> process memory. Custom BIOCs can be used to detect suspicious memory access patterns or credential-dumping tools before the ticket is reused.</P> </LI> </UL> <H4>4. Verifying Coverage</H4> <P>To confirm whether your environment is already protected:</P> <UL> <LI> <P>Review the <STRONG>Cortex XSIAM Analytics Alert Reference</STRONG> to see the latest centrally managed multi-event rules.</P> </LI> <LI> <P>Check the <STRONG>MITRE ATT&amp;CK Framework Coverage</STRONG> dashboard in the console to identify techniques with active OOTB detection.</P> </LI> <LI> <P>If using <STRONG>XQL</STRONG> for custom analytics, ensure queries are built against the <STRONG>xdr_data</STRONG> or <STRONG>microsoft_windows_raw</STRONG> datasets.</P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Jan 2026 22:01:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246750#M9058 susekar 2026-01-27T22:01:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246855#M9060 <P>Can you describe your correlation rule? What methods are you using to validate your detection?&nbsp;</P> Wed, 28 Jan 2026 14:06:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/pass-the-ticket-ptt/m-p/1246855#M9060 ChrisDavila 2026-01-28T14:06:03Z