Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Alsid Password issues

Back
Id472b7cf4-bf1a-4061-b9ab-9fe4894e3c17
RulenameAlsid Password issues
DescriptionSearches for triggered Indicators of Exposures related to password issues
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAlsidForAD
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordIssues.yaml
Version1.0.1
Arm template472b7cf4-bf1a-4061-b9ab-9fe4894e3c17.json
Deploy To Azure
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
let codeNameList = datatable(Codename:string)["C-CLEARTEXT-PASSWORD", "C-PASSWORD-DONT-EXPIRE", "C-USER-REVER-PWDS", "C-PASSWORD-POLICY", "C-USER-PASSWORD", "C-KRBTGT-PASSWORD", "C-AAD-SSO-PASSWORD", "C-REVER-PWD-GPO"];
afad_parser
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
name: Alsid Password issues
tactics:
- CredentialAccess
kind: Scheduled
description: |
    'Searches for triggered Indicators of Exposures related to password issues'
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordIssues.yaml
version: 1.0.1
triggerThreshold: 0
queryFrequency: 2h
triggerOperator: gt
relevantTechniques:
- T1110
requiredDataConnectors:
- connectorId: AlsidForAD
  dataTypes:
  - AlsidForADLog_CL
severity: Low
queryPeriod: 2h
status: Available
query: |
  let SeverityTable=datatable(Severity:string,Level:int) [
  "low", 1,
  "medium", 2,
  "high", 3,
  "critical", 4
  ];
  let codeNameList = datatable(Codename:string)["C-CLEARTEXT-PASSWORD", "C-PASSWORD-DONT-EXPIRE", "C-USER-REVER-PWDS", "C-PASSWORD-POLICY", "C-USER-PASSWORD", "C-KRBTGT-PASSWORD", "C-AAD-SSO-PASSWORD", "C-REVER-PWD-GPO"];
  afad_parser
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
  | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))  
id: 472b7cf4-bf1a-4061-b9ab-9fe4894e3c17
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17')]",
      "properties": {
        "alertRuleTemplateName": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17",
        "customDetails": null,
        "description": "'Searches for triggered Indicators of Exposures related to password issues'\n",
        "displayName": "Alsid Password issues",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordIssues.yaml",
        "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}