- Log in to the LogRhythm NDR UI.
- Click the Hunt tab, and then click Activity.
The Hunt / Activity page appears.
If a Bruteforce event or Golden Ticket attack has taken place, it is recorded as a KerberosAnomalyEvent.
- To open a Kerberos Anomaly Event, click the entry name KerberosAnomalyEvent in the legend of the chart. Or you can search for entry_type:*KerberosAnomalyEvent* in the search field above the chart.
- Click the + icon to the left of the Timestamp for an event.
Two tabs appear below that event.
- Click the JSON tab.
The JSON tab appears with a list of values, including _score and _source.
- To expand the JSON tab, click the _source value.
Additional values appear, including event_attribute and event_category.