Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Operations Critical Notifications

Semperis DSP Operations Critical Notifications

Back
Id8f471e21-3bb2-466f-9bc2-0a0326a60788
RulenameSemperis DSP Operations Critical Notifications
DescriptionAlerts when there are critical notifications fired in the DSP system.
SeverityMedium
TacticsInitialAccess
CredentialAccess
ResourceDevelopment
TechniquesT1133
T1110
T1584
Required data connectorsSemperisDSP
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
Version2.0.7
Arm template8f471e21-3bb2-466f-9bc2-0a0326a60788.json
Deploy To Azure
SecurityEvent
| where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| extend changedBy = column_ifexists('changedBy', "")
| extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

tactics:
- InitialAccess
- CredentialAccess
- ResourceDevelopment
entityMappings:
- fieldMappings:
  - columnName: LoginUser
    identifier: Name
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
alertDetailsOverride:
  alertDescriptionFormat: A critical notification was created in the DSP system.
  alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
triggerThreshold: 0
status: Available
kind: Scheduled
relevantTechniques:
- T1133
- T1110
- T1584
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
description: |
    'Alerts when there are critical notifications fired in the DSP system.'
query: |
  SecurityEvent
  | where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001
  | extend p1Xml = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion=array p1Xml
  | evaluate bag_unpack(p1Xml)
  | extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
  | evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)
  | parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
  | where "Critical" == column_ifexists('severity', "")
  | extend changedBy = column_ifexists('changedBy', "")
  | extend NTDomain = tostring(split(changedBy, '\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 2.0.7
id: 8f471e21-3bb2-466f-9bc2-0a0326a60788
name: Semperis DSP Operations Critical Notifications
queryFrequency: 30m
triggerOperator: gt
severity: Medium

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A critical notification was created in the DSP system.",
          "alertDisplayNameFormat": "Critical Notification -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "8f471e21-3bb2-466f-9bc2-0a0326a60788",
        "customDetails": null,
        "description": "'Alerts when there are critical notifications fired in the DSP system.'\n",
        "displayName": "Semperis DSP Operations Critical Notifications",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "LoginUser",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml",
        "query": "SecurityEvent\n| where EventSourceName == 'Semperis-DSP-Notifications' and EventID == 30001\n| extend p1Xml = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, EventSourceName, Channel, Computer, Level, EventLevelName, EventID, Task, Type, _ResourceId)\n| parse column_ifexists('objectDN', '') with * \"CN=\" cnName \",\" *\n| where \"Critical\" == column_ifexists('severity', \"\")\n| extend changedBy = column_ifexists('changedBy', \"\")\n| extend NTDomain = tostring(split(changedBy, '\\\\', 0)[0]), LoginUser = tostring(split(changedBy, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1110",
          "T1133",
          "T1584"
        ],
        "templateVersion": "2.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}