Semperis DSP Kerberos krbtgt account with old password

dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Kerberos krbtgt account with old password"

kind: Scheduled
triggerOperator: gt
queryFrequency: 1h
name: Semperis DSP Kerberos krbtgt account with old password
status: Available
queryPeriod: 1h
id: 9ff3b26b-7636-412e-ac46-072b084b94cb
description: |
    'The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.'
severity: Medium
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Kerberos krbtgt account with old password"  
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml
requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
tactics:
- CredentialAccess
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b26b-7636-412e-ac46-072b084b94cb')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b26b-7636-412e-ac46-072b084b94cb')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Semperis DSP Kerberos krbtgt account with old password",
        "description": "'The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "dsp_parser\n| where EventID == 9212\n| where SecurityIndicatorName == \"Kerberos krbtgt account with old password\"\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "alertRuleTemplateName": "9ff3b26b-7636-412e-ac46-072b084b94cb",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml",
        "status": "Available"
      }
    }
  ]
}