Pathlock TDnR - Kerberos Keytab Changes
| Id | 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12 |
| Rulename | Pathlock TDnR - Kerberos Keytab Changes |
| Description | Detects changes to Kerberos keytab configuration in SAP, forwarded by Pathlock Threat Detection and Response. Modifications to Kerberos settings may indicate credential theft, SSO bypass attempts, or persistent access mechanisms leveraging Kerberos delegation. |
| Severity | High |
| Tactics | CredentialAccess Persistence |
| Techniques | T1558 T1098 |
| Required data connectors | Pathlock_TDnR |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml |
| Version | 1.0.0 |
| Arm template | 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12.json |
Pathlock_TDnR_CL
| where DataSource == "CHANGEDOC_KERBEROS"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
tactics:
- CredentialAccess
- Persistence
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- Pathlock_TDnR_CL
connectorId: Pathlock_TDnR
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AnyAlert
createIncident: true
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c12
severity: High
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
query: |
Pathlock_TDnR_CL
| where DataSource == "CHANGEDOC_KERBEROS"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Pathlock TDnR - Kerberos Keytab Changes
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1558
- T1098
description: Detects changes to Kerberos keytab configuration in SAP, forwarded by Pathlock Threat Detection and Response. Modifications to Kerberos settings may indicate credential theft, SSO bypass attempts, or persistent access mechanisms leveraging Kerberos delegation.
triggerOperator: gt