Kerberos Pre-Auth Failures by User and Host

Kerberos Pre-Auth Failures by User and Host
alert indicates that a single user account on a single host failed authenticating a suspicious number of times in a 10-minute window, in what may be a brute-force attack.


10 minutes
7 days
14 days
10 minutes
Any of the following:
  • Palo Alto Networks firewall traffic logs with Palo Alto Networks Firewall EAL logs
  • Windows event collector logs


The user account on this host failed Kerberos pre-authentications (TGT requests) an unusual number of times when compared to its baseline from the previous 14 days.
This can indicate a Kerberos brute-force attack.

Attacker's Goals

The attacker is attempting to guess the credentials for the user account.

Investigative Actions

  • Verify that the password for the account has not been changed recently, without updating the user or the program using it.
  • Verify any later authentication success for the user accounts referenced by the alert, as these can indicate the attacker managed to guess the credentials.

Recommended For You