Semperis DSP Operations Critical Notifications
Id | 8f471e21-3bb2-466f-9bc2-0a0326a60788 |
Rulename | Semperis DSP Operations Critical Notifications |
Description | Alerts when there are critical notifications fired in the DSP system. |
Severity | Medium |
Required data connectors | SemperisDSP |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml |
Arm template | 8f471e21-3bb2-466f-9bc2-0a0326a60788.json |
Event
| where Source == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, EventCategory, UserName, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| count
triggerThreshold: 0
queryFrequency: 30m
id: 8f471e21-3bb2-466f-9bc2-0a0326a60788
alertDetailsOverride:
alertDescriptionFormat: A critical notification was created in the DSP system.
alertDisplayNameFormat: Critical Notification -- Alert from Semperis Directory Services Protector
kind: Scheduled
triggerOperator: gt
severity: Medium
eventGroupingSettings:
aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: SemperisDSP
dataTypes:
- dsp_parser
query: |-
Event
| where Source == 'Semperis-DSP-Notifications' and EventID == 30001
| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| evaluate pivot(Name, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, EventCategory, UserName, Type, _ResourceId)
| parse column_ifexists('objectDN', '') with * "CN=" cnName "," *
| where "Critical" == column_ifexists('severity', "")
| count
queryPeriod: 30m
name: Semperis DSP Operations Critical Notifications
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml
status: Available
description: |
'Alerts when there are critical notifications fired in the DSP system.'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f471e21-3bb2-466f-9bc2-0a0326a60788')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Semperis DSP Operations Critical Notifications",
"description": "'Alerts when there are critical notifications fired in the DSP system.'\n",
"severity": "Medium",
"enabled": true,
"query": "Event\n| where Source == 'Semperis-DSP-Notifications' and EventID == 30001\n| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| evaluate pivot(Name, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, EventCategory, UserName, Type, _ResourceId)\n| parse column_ifexists('objectDN', '') with * \"CN=\" cnName \",\" *\n| where \"Critical\" == column_ifexists('severity', \"\")\n| count",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "8f471e21-3bb2-466f-9bc2-0a0326a60788",
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "A critical notification was created in the DSP system.",
"alertDisplayNameFormat": "Critical Notification -- Alert from Semperis Directory Services Protector"
},
"customDetails": null,
"entityMappings": null,
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_Operations_Critical_Notifications_.yaml",
"status": "Available"
}
}
]
}