Skip to main content
Skip table of contents

View Active Directory Attack Indicators and Servers

  1. Log in to the LogRhythm NDR UI.
  2. Click the Hunt tab, and then click Activity.
    The Hunt / Activity page appears.
    If a Bruteforce event or Golden Ticket attack has taken place, it is recorded as a KerberosAnomalyEvent.
  3. To open a Kerberos Anomaly Event, click the entry name KerberosAnomalyEvent in the legend of the chart. Or you can search for entry_type:*KerberosAnomalyEvent* in the search field above the chart.
  4. Click the + icon to the left of the Timestamp for an event.
    Two tabs appear below that event.
  5. Click the JSON tab.
    The JSON tab appears with a list of values, including _score and _source.
  6. To expand the JSON tab, click the _source value.
    Additional values appear, including event_attribute and  event_category.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.