Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Failed Logons

Semperis DSP Failed Logons

Back
Id0e105444-fe13-4ce6-9239-21880076a3f9
RulenameSemperis DSP Failed Logons
DescriptionAlerts when there are failed logons in the DSP system.
SeverityMedium
TacticsInitialAccess
CredentialAccess
TechniquesT1078
T1110
Required data connectorsSemperisDSP
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
Version2.0.7
Arm template0e105444-fe13-4ce6-9239-21880076a3f9.json
Deploy To Azure
SecurityEvent
| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20002
| sort by TimeGenerated desc 
| extend p1Xml = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
| extend det = column_ifexists('details', '')
| parse det with * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
| extend host = tostring(HostIP)
| extend HostIP = trim_end(":", HostIP)
| project TimeGenerated, TrusteeName, HostIP, _ResourceId
| extend NTDomain = tostring(split(TrusteeName, '\\', 0)[0]), Name = tostring(split(TrusteeName, '\\', 1)[0]) 

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
query: |
  SecurityEvent
  | where EventSourceName == 'Semperis-Operation-Log' and EventID == 20002
  | sort by TimeGenerated desc 
  | extend p1Xml = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion=array p1Xml
  | evaluate bag_unpack(p1Xml)
  | extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
  | evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
  | extend det = column_ifexists('details', '')
  | parse det with * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
  | extend host = tostring(HostIP)
  | extend HostIP = trim_end(":", HostIP)
  | project TimeGenerated, TrusteeName, HostIP, _ResourceId
  | extend NTDomain = tostring(split(TrusteeName, '\\', 0)[0]), Name = tostring(split(TrusteeName, '\\', 1)[0])   
description: |
    'Alerts when there are failed logons in the DSP system.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Semperis DSP Failed Logons
triggerThreshold: 0
version: 2.0.7
tactics:
- InitialAccess
- CredentialAccess
alertDetailsOverride:
  alertDescriptionFormat: A failed logon was detected to the DSP system.
  alertDisplayNameFormat: Failed Logon -- Alert from Semperis Directory Services Protector
relevantTechniques:
- T1078
- T1110
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: NTDomain
    identifier: NTDomain
id: 0e105444-fe13-4ce6-9239-21880076a3f9
status: Available
kind: Scheduled
queryFrequency: 30m
queryPeriod: 30m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A failed logon was detected to the DSP system.",
          "alertDisplayNameFormat": "Failed Logon -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "0e105444-fe13-4ce6-9239-21880076a3f9",
        "customDetails": null,
        "description": "'Alerts when there are failed logons in the DSP system.'\n",
        "displayName": "Semperis DSP Failed Logons",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml",
        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-Operation-Log' and EventID == 20002\n| sort by TimeGenerated desc \n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| extend det = column_ifexists('details', '')\n| parse det with * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \"WebSite Target\" *\n| extend host = tostring(HostIP)\n| extend HostIP = trim_end(\":\", HostIP)\n| project TimeGenerated, TrusteeName, HostIP, _ResourceId\n| extend NTDomain = tostring(split(TrusteeName, '\\\\', 0)[0]), Name = tostring(split(TrusteeName, '\\\\', 1)[0]) \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1110"
        ],
        "templateVersion": "2.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}