Forum Discussion

Justin Lipple's avatar
Justin Lipple
Copper Contributor
Sep 24, 2018
Solved

Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

Hi,    I was wondering if anyone has experienced (what I think is) a correlation issue for the "Identity theft using Pass-the-Ticket attack" ATP alert. I believe this happens when a user moves thei...
  • Tali Ash's avatar
    Tali Ash
    Sep 25, 2018

    Hi Justin,

     

    This is right in case of PTT.

     

    In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

     

    This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

     

    Thanks,

    Tali 

     

     

Tali Ash's avatar
Tali Ash
Former Employee
Sep 25, 2018

Hi Justin,

 

This is right in case of PTT.

 

In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

 

This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

 

Thanks,

Tali 

 

 

  • edhealea's avatar
    edhealea
    Copper Contributor
    Sep 25, 2023
    Hello Tali Ash. We too have seen an up tick in these alerts. It looks to me that it does revolves around DNS trying assign an IP address to two different devices or one device has the IP but DNS is trying to assign to a second device. Well keep watching this post for any updates.
    Is there any tuning options in DofI to tune these out?

Resources