Forum Discussion

R B's avatar
R B
Copper Contributor
Feb 20, 2018

False alert generated 5 days in the future

Hi.

I'm using 1.8.6645.28499.

I had a "Kerberos Golden Ticket activity" alert generated last week. It said a Kerberos ticket had been in use for 5 days,

start time: 17/02/2018  02:05:47.461

end time: 22/02/2018  03:13:13.613.

 

You will notice that today is 20/02/2018: 20th Feb. So, it is saying that the end time of the activity that generated the alert is 2 days in the future from today.

 

If I download the detail and look on the "Network Activities" tab, there are only 2 records, and they have timestamps of:

17/02/2018  02:05:53.606
17/02/2018  02:12:31.437

 

How was this alert generated?

  • Any chance the involved DC or Gateway  experienced a time sync issue? one of them is a VM that was in saved state?

    • R B's avatar
      R B
      Copper Contributor

      There is a Light Gateway installed on the DC. The DC is a virtual machine.

       

      If I check the DC event logs, System, and sort by date descending, there are no logs timestamped in the future. The last reboot according to this log was 24 Jan, and I have continuous logs since that date which shows the machine has always been up and running. The current time in the server is correct. If I filter on source: Kernel-General, Event ID 1 ("the system time has changed"), the last time the time was changed was 24 Jan, and that was a microsecond correction. If I look at the events 17 Feb 02:00 - 04:00, I have some for 02:05:25 but that's just normal Windows activity: Group Policy applying, "The Network Connectivity Assistant service entered the stopped state.", "The Windows Update service entered the running state.", "The Portable Device Enumerator Service service entered the running state.", "The Portable Device Enumerator Service service entered the stopped state."

       

      If I check the Gateway-Errors log on the DC, the only entry on 17 Feb is at 18:05, and it's unrelated.

      If I check the Gateway-Resolution log, I can find the alerting computer in there, and the records around the timestamp for it are 17 Feb 02:04:39 and 02:10:07, both "Resolved using RPC NTLM". This repeats every few minutes.

       

      I can't find any record that would cause this alert with this timestamp, and the DC has always had the correct time, and it has been up and running continuously with no time change since 24 Jan.

       

      Where does the "End Date" value come from on the detail download? It does not match the timestamp of the latest event on the Network Activities tab.

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft

        In Network Activities Tab, go to the json column, and inside the json dump look for a field called "DomainControllerStartTime" - what does it say?

Resources