Semperis DSP Operations Critical Notifications
| Id | 8f471e21-3bb2-466f-9bc2-0a0326a60788 |
| Rulename | Semperis DSP Operations Critical Notifications |
| Description | Alerts when there are critical notifications fired in the DSP system. |
| Severity | Medium |
| Tactics | InitialAccess CredentialAccess ResourceDevelopment |
| Techniques | T1133 T1110 T1584 |
| Required data connectors | SemperisDSP |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml |
| Version | 2.0.7 |
| Arm template | 8f471e21-3bb2-466f-9bc2-0a0326a60788.json |
SecurityEvent
| where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| extend changedBy = column_ifexists('changedBy', "")
| extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
name: Semperis DSP Operations Critical Notifications
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: SemperisDSP
dataTypes:
- dsp_parser
tactics:
- InitialAccess
- CredentialAccess
- ResourceDevelopment
queryFrequency: 30m
version: 2.0.7
relevantTechniques:
- T1133
- T1110
- T1584
description: |
'Alerts when there are critical notifications fired in the DSP system.'
kind: Scheduled
id: 8f471e21-3bb2-466f-9bc2-0a0326a60788
entityMappings:
- fieldMappings:
- identifier: Name
columnName: LoginUser
- identifier: NTDomain
columnName: NTDomain
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
queryPeriod: 30m
alertDetailsOverride:
alertDescriptionFormat: A critical notification was created in the DSP system.
alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
query: |
SecurityEvent
| where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| extend changedBy = column_ifexists('changedBy', "")
| extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
triggerOperator: gt