Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Semperis DSP Operations Critical Notifications

Back
Id8f471e21-3bb2-466f-9bc2-0a0326a60788
RulenameSemperis DSP Operations Critical Notifications
DescriptionAlerts when there are critical notifications fired in the DSP system.
SeverityMedium
Required data connectorsSemperisDSP
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
Version1.1.0
Arm template8f471e21-3bb2-466f-9bc2-0a0326a60788.json
Deploy To Azure
Event
| where Source == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
queryPeriod: 30m
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertDescriptionFormat: A critical notification was created in the DSP system.
  alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
kind: Scheduled
triggerThreshold: 0
triggerOperator: gt
version: 1.1.0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: LoginUser
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
query: |
  Event
  | where Source == 'Semperis-DSP-Notifications' and EventID == 30001
  | extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array p1Xml
  | evaluate bag_unpack(p1Xml)
  | extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
  | parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
  | where "Critical" == column_ifexists('severity', "")
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
name: Semperis DSP Operations Critical Notifications
queryFrequency: 30m
requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
description: |
    'Alerts when there are critical notifications fired in the DSP system.'
status: Available
id: 8f471e21-3bb2-466f-9bc2-0a0326a60788
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A critical notification was created in the DSP system.",
          "alertDisplayNameFormat": "Critical Notification -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "8f471e21-3bb2-466f-9bc2-0a0326a60788",
        "customDetails": null,
        "description": "'Alerts when there are critical notifications fired in the DSP system.'\n",
        "displayName": "Semperis DSP Operations Critical Notifications",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "LoginUser",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml",
        "query": "Event\n| where Source == 'Semperis-DSP-Notifications' and EventID == 30001\n| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| parse column_ifexists('objectDN', '') with * \"CN=\" cnName \",\" *\n| where \"Critical\" == column_ifexists('severity', \"\")\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), LoginUser = tostring(split(UserName, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}