Runbook for 'Suspected Identity Theft - Pass The Ticket'

Hi All -

I'm seeing quite a few alerts coming in that are 'Suspected Identity Theft - Pass The Ticket' from Sentinel.

I'm really not too sure how to handle these.


Essentially, what I am seeing:

Alerting computer: (Laptop1)

DC: (DC1)

User: User

What I do:


I check sign in logs, look for abnormalities

Check the IP's/Devices and make sure the user/device is trying to access internal resources, not an unknown account accessing internal resources




Not sure what else to …

alerting alerts check coming computer cybersecurity identity identity theft logs pass sentinel sign theft ticket