{"alertId": "aa0b733089-4ba9-428a-ac84-50ecf57ff647", "providerAlertId": "0b733089-4ba9-428a-ac84-50ecf57ff647", "incidentId": 765, "serviceSource": "MicrosoftDefenderForIdentity", "creationTime": "2022-11-21T04:13:22.6244685Z", "lastUpdatedTime": "2022-11-26T01:38:23.5333333Z", "resolvedTime": "2022-11-26T01:35:43.0633333Z", "firstActivity": "2022-11-21T01:58:51.222711Z", "lastActivity": "2022-11-21T02:33:50.093383Z", "title": "Suspected identity theft (pass-the-ticket)", "description": "An actor took Steve Lewis (IT director)'s Kerberos ticket from MSDXV2-Win10B and used it on MSDXV2-Win10V to access 3 resources.", "category": "LateralMovement", "status": "Resolved", "severity": "High", "investigationId": null, "investigationState": "UnsupportedAlertType", "classification": "TruePositive", "determination": "SecurityTesting", "detectionSource": "AzureATP", "detectorId": "PassTheTicketSecurityAlert", "assignedTo": "takeshi@msdxv2.m365dpoc.com", "actorName": null, "threatFamilyName": null, "mitreTechniques": ["T1550", "T1550.003"], "devices": [{"mdatpDeviceId": "e138ecd8e7b21eaf952cb35d56349bf50c64ac96", "aadDeviceId": null, "deviceDnsName": "msdxv2-dc.msdxv2.m365dpoc.com", "osPlatform": "WindowsServer2019", "version": "1809", "osProcessor": "x64", "osBuild": 17763, "healthStatus": "Active", "riskScore": "None", "rbacGroupName": "UnassignedGroup", "firstSeen": "2022-08-08T08:27:58.906Z", "tags": [], "defenderAvStatus": "NotSupported", "onboardingStatus": "Onboarded", "vmMetadata": {"vmId": "5bc68ee9-2aaf-4b12-8045-60af8aecad6e", "cloudProvider": "Unknown", "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-DC", "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"}, "loggedOnUsers": []}, {"mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145", "aadDeviceId": null, "deviceDnsName": "msdxv2-win10v.msdxv2.m365dpoc.com", "osPlatform": "Windows10", "version": "1809", "osProcessor": "x64", "osBuild": 17763, "healthStatus": "Active", "riskScore": "None", "rbacGroupName": "Full Auto Clients", "firstSeen": "2022-08-08T08:51:02.455Z", "tags": ["Full auto"], "defenderAvStatus": "Updated", "onboardingStatus": "Onboarded", "vmMetadata": {"vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0", "cloudProvider": "Unknown", "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V", "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"}, "loggedOnUsers": []}, {"mdatpDeviceId": "36150b3c1b69b5c2da9df4efd86ac6c166924a48", "aadDeviceId": "14b11ffe-5128-4842-bbdf-31f0fbfcb600", "deviceDnsName": "msdxv2-win10b.msdxv2.m365dpoc.com", "osPlatform": "Windows10", "version": "21H1", "osProcessor": "x64", "osBuild": 19043, "healthStatus": "Active", "riskScore": "None", "rbacGroupName": "Semi Auto Client", "firstSeen": "2022-08-08T08:29:47.252Z", "tags": ["MDE-Management", "semi auto", "servers"], "defenderAvStatus": "Updated", "onboardingStatus": "Onboarded", "vmMetadata": {"vmId": "2f7d6bc4-df6d-4836-becd-aff9cb361b66", "cloudProvider": "Unknown", "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10B", "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"}, "loggedOnUsers": []}], "entities": [{"entityType": "User", "evidenceCreationTime": "2022-11-21T04:13:22.6633333Z", "verdict": "5", "remediationStatus": "None", "accountName": "krbtgt", "userSid": "S-1-5-21-2300221942-1987151257-321556088-502"}, {"entityType": "User", "evidenceCreationTime": "2022-11-21T04:13:22.6633333Z", "verdict": "Suspicious", "remediationStatus": "None", "accountName": "steve", "domainName": "msdxv2.m365dpoc", "userSid": "S-1-5-21-2300221942-1987151257-321556088-1107", "aadUserId": "0808dea1-2ec8-41d2-8e3e-7c18309fab09", "userPrincipalName": "steve@msdxv2.m365dpoc.com"}, {"entityType": "Ip", "evidenceCreationTime": "2022-11-21T04:13:22.6633333Z", "verdict": "Suspicious", "remediationStatus": "None", "ipAddress": "10.0.0.5"}]}