Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Semperis DSP Recent sIDHistory changes on AD objects

RulenameSemperis DSP Recent sIDHistory changes on AD objects
DescriptionThis indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added.
Required data connectorsSemperisDSP
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Uri Directory Services Protector/Analytic Rules/SemperisDSP_RecentsIDHistoryChangesOnADObjects.yaml
Arm template64796da3-6383-4de2-9c97-866c83c459ae.json
Deploy To Azure
| where EventID == 9212
| where SecurityIndicatorName == "Recent sIDHistory changes on objects"
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
triggerOperator: gt
queryFrequency: 1h
description: |
    'This indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added.'
status: Available
kind: Scheduled
triggerThreshold: 0
- connectorId: SemperisDSP
  - dsp_parser
version: 1.0.1
queryPeriod: 1h
name: Semperis DSP Recent sIDHistory changes on AD objects
OriginalUri: Directory Services Protector/Analytic Rules/SemperisDSP_RecentsIDHistoryChangesOnADObjects.yaml
id: 64796da3-6383-4de2-9c97-866c83c459ae
- PrivilegeEscalation
severity: High
- fieldMappings:
  - identifier: Name
    columnName: LoginUser
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
query: |
  | where EventID == 9212
  | where SecurityIndicatorName == "Recent sIDHistory changes on objects"
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64796da3-6383-4de2-9c97-866c83c459ae')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64796da3-6383-4de2-9c97-866c83c459ae')]",
      "properties": {
        "alertRuleTemplateName": "64796da3-6383-4de2-9c97-866c83c459ae",
        "customDetails": null,
        "description": "'This indicator detects any recent changes to sIDHistory on AD objects, including changes to non-privileged accounts where privileged SIDs are added.'\n",
        "displayName": "Semperis DSP Recent sIDHistory changes on AD objects",
        "enabled": true,
        "entityMappings": [
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "LoginUser",
                "identifier": "Name"
                "columnName": "NTDomain",
                "identifier": "NTDomain"
            "entityType": "Host",
            "fieldMappings": [
                "columnName": "HostName",
                "identifier": "HostName"
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
        "OriginalUri": " Directory Services Protector/Analytic Rules/SemperisDSP_RecentsIDHistoryChangesOnADObjects.yaml",
        "query": "dsp_parser\n| where EventID == 9212\n| where SecurityIndicatorName == \"Recent sIDHistory changes on objects\"\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), LoginUser = tostring(split(UserName, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"