Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Pathlock TDnR - Kerberos Keytab Changes

Pathlock TDnR - Kerberos Keytab Changes

Back
Id2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12
RulenamePathlock TDnR - Kerberos Keytab Changes
DescriptionDetects changes to Kerberos keytab configuration in SAP, forwarded by Pathlock Threat Detection and Response. Modifications to Kerberos settings may indicate credential theft, SSO bypass attempts, or persistent access mechanisms leveraging Kerberos delegation.
SeverityHigh
TacticsCredentialAccess
Persistence
TechniquesT1558
T1098
Required data connectorsPathlock_TDnR
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml
Version1.0.0
Arm template2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12.json
Deploy To Azure
Pathlock_TDnR_CL
| where DataSource == "CHANGEDOC_KERBEROS"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
          Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
          MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs

version: 1.0.0
queryPeriod: 1h
suppressionDuration: 5h
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Bname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Hostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIp
eventGroupingSettings:
  aggregationKind: SingleAlert
tactics:
- CredentialAccess
- Persistence
status: Available
relevantTechniques:
- T1558
- T1098
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: Pathlock_TDnR
  dataTypes:
  - Pathlock_TDnR_CL
queryFrequency: 1h
severity: High
kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    groupByEntities: []
    enabled: true
    groupByAlertDetails: []
    groupByCustomDetails: []
    reopenClosedIncident: false
    matchingMethod: AnyAlert
    lookbackDuration: 5h
  createIncident: true
triggerThreshold: 0
query: |
  Pathlock_TDnR_CL
  | where DataSource == "CHANGEDOC_KERBEROS"
  | project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
            Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
            MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs  
description: Detects changes to Kerberos keytab configuration in SAP, forwarded by Pathlock Threat Detection and Response. Modifications to Kerberos settings may indicate credential theft, SSO bypass attempts, or persistent access mechanisms leveraging Kerberos delegation.
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml
name: Pathlock TDnR - Kerberos Keytab Changes