Forum Discussion
Suspected identity theft (pass-the-ticket) on multiple endpoints false positive
I have recently analysed a few Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I've been digging into the logs to try and figure this out, but I'm starting to thi...
I'm in the early stages with MDI and learning mode. Getting ton of suspected pass the ticket alerts and they all have :: as common ipv6 since most of user machines are on always on vpn. I'm hesitant to exclude :: since this isn't correct practice. How do I suppress these in detection rule or other alternative to exclude?