Explain the event code 4771.
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain Controllers, you have to key off of 4771 and 4625 for failures, where 4771 is the Kerberos events from the domain joined computers to the DCs.
It's nice having visibility across the endpoints without getting logs from everything but for these 4771 events, most of the alerts I see are just stale sessions and non-security events. I don't see any sub code or item to key off of for stale/old password vs. real attack.
Most of the time these events are noisy in a large user environment with a password change policy. Most of the time this happens when an account's password is expired and it is tied with some application/service/task which keeps trying to login again and again. If you have a SIEM or log management solution, you can create a rule to ignore event code 4771 for the account's password which was recently reset 4723/4724 (say in the last 24hrs).