28May
Windows Kerberos Pre-Auth Failed (4771)
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain Controllers, you have to key off of 4771 and 4625 for failures, where 4771 is the Kerberos events from the domain joined computers to the DCs.
It's nice having visibility across the endpoints without getting logs from everything but for these 4771 events, most of the alerts I see are just stale sessions and non-security events. I don't see any sub code or item to key off of for stale/old password vs. real attack.