01-27-2026 11:04 AM
Hi guys,
I’d like to know if anyone already has a detection rule configured in XSIAM correlation for a Pass‑the‑Ticket attack.
I’m building a rule from scratch, but it’s not as effective as I’d like.
If anyone has a ready‑made rule or some solid ideas and can share them, it would greatly speed up the process.
01-27-2026 02:01 PM
Hello @EMARTINS BERNARDES ,
Greetings for the day.
Cortex XSIAM primarily addresses Pass-the-Ticket (PtT) attacks through its built-in Identity Analytics engine rather than requiring a manual correlation rule from scratch. This approach is generally more effective as it leverages baselining and multi-host behavior that is difficult to capture in a static query.
Cortex XSIAM includes a dedicated out-of-the-box (OOTB) detector for this technique:
Detector Name: Possible TGT reuse from different hosts (pass the ticket)
Alert ID: ID-4604
Detection Logic:
This detector triggers when the system observes two different hosts sending a Ticket Granting Service (TGS) request using the same Ticket Granting Ticket (TGT).
MITRE ATT&CK Mapping:
Lateral Movement (TA0008)
Use Alternate Authentication Material: Pass the Ticket (T1550.003)
Internal logs may also show an alert titled “Pass-The-Ticket Attack Detected”, mapped to MITRE T1550, in environments where Identity Threat Detection and Response (ITDR) is enabled.
To ensure these ready-made detections function correctly, verify the following configurations:
Enable Identity Analytics:
Navigate to Settings → Configurations → Cortex Analytics and confirm that Identity Analytics is enabled under the Featured in Analytics section.
Cloud Identity Engine (CIE) Synchronization:
A successful synchronization with CIE is required to provide the Active Directory context necessary for identity-based correlations.
Agent Deployment:
The detector relies on telemetry collected by the Cortex XDR Agent deployed on endpoints and domain controllers.
If you choose to create a custom rule, effective logic typically focuses on anomalies in Kerberos-related events (Event IDs 4768, 4769, 4624). Key patterns to consider include:
Mismatched Source IPs:
Detect scenarios where a Kerberos ticket is requested from one IP address but later used from another.
Suspicious Encryption Types:
Monitor for Kerberos tickets using weak or deprecated encryption, such as RC4 (encryption type 0x17). XSIAM already tracks related anomalies through detections focused on weakly encrypted Kerberos responses, which may indicate credential manipulation or Skeleton Key activity.
Unusual Process Access:
In Windows environments, Pass-the-Ticket attacks often involve tools accessing LSASS process memory. Custom BIOCs can be used to detect suspicious memory access patterns or credential-dumping tools before the ticket is reused.
To confirm whether your environment is already protected:
Review the Cortex XSIAM Analytics Alert Reference to see the latest centrally managed multi-event rules.
Check the MITRE ATT&CK Framework Coverage dashboard in the console to identify techniques with active OOTB detection.
If using XQL for custom analytics, ensure queries are built against the xdr_data or microsoft_windows_raw datasets.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
