Semperis DSP Failed Logons

Back


Id	0e105444-fe13-4ce6-9239-21880076a3f9
Rulename	Semperis DSP Failed Logons
Description	Alerts when there are failed logons in the DSP system.
Severity	Medium
Tactics	InitialAccess CredentialAccess
Techniques	T1078 T1110
Required data connectors	SemperisDSP
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
Version	1.1.1
Arm template	0e105444-fe13-4ce6-9239-21880076a3f9.json

KQL

Event
| where Source == 'Semperis-Operation-Log' and EventID == 20002
| sort by TimeGenerated desc 
| parse RenderedDescription with "Operation: " Operation "Access Granted:" AccessGranted "Result: " Result "Details: " * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
| extend host = tostring(HostIP)
| extend HostIP = trim_end(":", HostIP)
| project TimeGenerated, UserName, HostIP, _ResourceId
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), Name = tostring(split(UserName, '\\', 1)[0])

YAML

relevantTechniques:
- T1078
- T1110
name: Semperis DSP Failed Logons
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
triggerThreshold: 0
id: 0e105444-fe13-4ce6-9239-21880076a3f9
tactics:
- InitialAccess
- CredentialAccess
version: 1.1.1
alertDetailsOverride:
  alertDisplayNameFormat: Failed Logon -- Alert from Semperis Directory Services Protector
  alertDescriptionFormat: A failed logon was detected to the DSP system.
queryPeriod: 30m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
queryFrequency: 30m
severity: Medium
status: Available
description: |
    'Alerts when there are failed logons in the DSP system.'
query: |
  Event
  | where Source == 'Semperis-Operation-Log' and EventID == 20002
  | sort by TimeGenerated desc 
  | parse RenderedDescription with "Operation: " Operation "Access Granted:" AccessGranted "Result: " Result "Details: " * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
  | extend host = tostring(HostIP)
  | extend HostIP = trim_end(":", HostIP)
  | project TimeGenerated, UserName, HostIP, _ResourceId
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), Name = tostring(split(UserName, '\\', 1)[0])   
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A failed logon was detected to the DSP system.",
          "alertDisplayNameFormat": "Failed Logon -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "0e105444-fe13-4ce6-9239-21880076a3f9",
        "customDetails": null,
        "description": "'Alerts when there are failed logons in the DSP system.'\n",
        "displayName": "Semperis DSP Failed Logons",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml",
        "query": "Event\n| where Source == 'Semperis-Operation-Log' and EventID == 20002\n| sort by TimeGenerated desc \n| parse RenderedDescription with \"Operation: \" Operation \"Access Granted:\" AccessGranted \"Result: \" Result \"Details: \" * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \"WebSite Target\" *\n| extend host = tostring(HostIP)\n| extend HostIP = trim_end(\":\", HostIP)\n| project TimeGenerated, UserName, HostIP, _ResourceId\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), Name = tostring(split(UserName, '\\\\', 1)[0]) \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1110"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}