Semperis DSP Operations Critical Notifications

Back


Id	8f471e21-3bb2-466f-9bc2-0a0326a60788
Rulename	Semperis DSP Operations Critical Notifications
Description	Alerts when there are critical notifications fired in the DSP system.
Severity	Medium
Tactics	InitialAccess CredentialAccess ResourceDevelopment
Techniques	T1133 T1110 T1584
Required data connectors	SemperisDSP
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
Version	2.0.7
Arm template	8f471e21-3bb2-466f-9bc2-0a0326a60788.json

KQL

SecurityEvent
| where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| extend changedBy = column_ifexists('changedBy', "")
| extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

YAML

relevantTechniques:
- T1133
- T1110
- T1584
queryFrequency: 30m
description: |
    'Alerts when there are critical notifications fired in the DSP system.'
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: LoginUser
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
- ResourceDevelopment
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
eventGroupingSettings:
  aggregationKind: SingleAlert
queryPeriod: 30m
id: 8f471e21-3bb2-466f-9bc2-0a0326a60788
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
query: |
  SecurityEvent
  | where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
  | extend p1Xml = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion=array p1Xml
  | evaluate bag_unpack(p1Xml)
  | extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
  | evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
  | parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
  | where "Critical" == column_ifexists('severity', "")
  | extend changedBy = column_ifexists('changedBy', "")
  | extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
alertDetailsOverride:
  alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
  alertDescriptionFormat: A critical notification was created in the DSP system.
name: Semperis DSP Operations Critical Notifications
version: 2.0.7
kind: Scheduled
status: Available

ARM