Sentinel newbie here looking for some detail on the field name Initiator
User Domain. Typically this field matches our domain name, but
occasionally on 4771 kerberos pre-auth failed events the field equals
"changepw". I am assuming this corresponds to a locked out account
given the event, but I am not 100% sure. Coming from an SM environment,
I am not familiar with this behavior and did not see any documentation
on this. Not surprising given the rather unambiguous field name.

psmcgovern's Profile:
View this thread: