-
Log in to the LogRhythm NDR UI.
-
Click the Hunt tab, and then click Activity.
The Hunt / Activity page appears.
If a Bruteforce event or Golden Ticket attack has taken place, it is recorded as a KerberosAnomalyEvent. -
To open a Kerberos Anomaly Event, click the entry name KerberosAnomalyEvent in the legend of the chart. Or you can search for entry_type:*KerberosAnomalyEvent* in the search field above the chart.
-
Click the + icon to the left of the Timestamp for an event.
Two tabs appear below that event. -
Click the JSON tab.
The JSON tab appears with a list of values, including _score and _source. -
To expand the JSON tab, click the _source value.
Additional values appear, including event_attribute and event_category.