Semperis DSP Failed Logons

Back


Id	0e105444-fe13-4ce6-9239-21880076a3f9
Rulename	Semperis DSP Failed Logons
Description	Alerts when there are failed logons in the DSP system.
Severity	Medium
Tactics	InitialAccess CredentialAccess
Techniques	T1078 T1110
Required data connectors	SemperisDSP
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
Version	1.1.1
Arm template	0e105444-fe13-4ce6-9239-21880076a3f9.json

KQL

Event
| where Source == 'Semperis-Operation-Log' and EventID == 20002
| sort by TimeGenerated desc 
| parse RenderedDescription with "Operation: " Operation "Access Granted:" AccessGranted "Result: " Result "Details: " * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
| extend host = tostring(HostIP)
| extend HostIP = trim_end(":", HostIP)
| project TimeGenerated, UserName, HostIP, _ResourceId
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), Name = tostring(split(UserName, '\\', 1)[0])

YAML

id: 0e105444-fe13-4ce6-9239-21880076a3f9
tactics:
- InitialAccess
- CredentialAccess
queryPeriod: 30m
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
name: Semperis DSP Failed Logons
query: |
  Event
  | where Source == 'Semperis-Operation-Log' and EventID == 20002
  | sort by TimeGenerated desc 
  | parse RenderedDescription with "Operation: " Operation "Access Granted:" AccessGranted "Result: " Result "Details: " * "Trustee Name: " TrusteeName " Correlation ID: " * " Source: " HostIP "WebSite Target" *
  | extend host = tostring(HostIP)
  | extend HostIP = trim_end(":", HostIP)
  | project TimeGenerated, UserName, HostIP, _ResourceId
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), Name = tostring(split(UserName, '\\', 1)[0])   
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml
queryFrequency: 30m
requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
version: 1.1.1
description: |
    'Alerts when there are failed logons in the DSP system.'
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: Failed Logon -- Alert from Semperis Directory Services Protector
  alertDescriptionFormat: A failed logon was detected to the DSP system.
entityMappings:
- fieldMappings:
  - columnName: HostIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Account

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e105444-fe13-4ce6-9239-21880076a3f9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A failed logon was detected to the DSP system.",
          "alertDisplayNameFormat": "Failed Logon -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "0e105444-fe13-4ce6-9239-21880076a3f9",
        "customDetails": null,
        "description": "'Alerts when there are failed logons in the DSP system.'\n",
        "displayName": "Semperis DSP Failed Logons",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Failed_Logons.yaml",
        "query": "Event\n| where Source == 'Semperis-Operation-Log' and EventID == 20002\n| sort by TimeGenerated desc \n| parse RenderedDescription with \"Operation: \" Operation \"Access Granted:\" AccessGranted \"Result: \" Result \"Details: \" * \"Trustee Name: \" TrusteeName \" Correlation ID: \" * \" Source: \" HostIP \"WebSite Target\" *\n| extend host = tostring(HostIP)\n| extend HostIP = trim_end(\":\", HostIP)\n| project TimeGenerated, UserName, HostIP, _ResourceId\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), Name = tostring(split(UserName, '\\\\', 1)[0]) \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1110"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}