Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Alsid privileged accounts issues

Alsid privileged accounts issues

Back
Ida5fe9489-cf8b-47ae-a87e-8f3a13e4203e
RulenameAlsid privileged accounts issues
DescriptionSearches for triggered Indicators of Exposures related to privileged accounts issues
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAlsidForAD
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PrivilegedAccountIssues.yaml
Version1.0.1
Arm templatea5fe9489-cf8b-47ae-a87e-8f3a13e4203e.json
Deploy To Azure
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
let codeNameList = datatable(Codename:string)["C-PRIV-ACCOUNTS-SPN", "C-NATIVE-ADM-GROUP-MEMBERS", "C-KRBTGT-PASSWORD", "C-PROTECTED-USERS-GROUP-UNUSED", "C-ADMINCOUNT-ACCOUNT-PROPS", "C-ADM-ACC-USAGE", "C-LAPS-UNSECURE-CONFIG", "C-DISABLED-ACCOUNTS-PRIV-GROUPS"];
afad_parser
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))

name: Alsid privileged accounts issues
status: Available
triggerThreshold: 0
severity: Low
tactics:
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PrivilegedAccountIssues.yaml
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
queryPeriod: 2h
queryFrequency: 2h
version: 1.0.1
triggerOperator: gt
description: |
    'Searches for triggered Indicators of Exposures related to privileged accounts issues'
query: |
  let SeverityTable=datatable(Severity:string,Level:int) [
  "low", 1,
  "medium", 2,
  "high", 3,
  "critical", 4
  ];
  let codeNameList = datatable(Codename:string)["C-PRIV-ACCOUNTS-SPN", "C-NATIVE-ADM-GROUP-MEMBERS", "C-KRBTGT-PASSWORD", "C-PROTECTED-USERS-GROUP-UNUSED", "C-ADMINCOUNT-ACCOUNT-PROPS", "C-ADM-ACC-USAGE", "C-LAPS-UNSECURE-CONFIG", "C-DISABLED-ACCOUNTS-PRIV-GROUPS"];
  afad_parser
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
  | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))  
relevantTechniques:
- T1110
id: a5fe9489-cf8b-47ae-a87e-8f3a13e4203e
requiredDataConnectors:
- dataTypes:
  - AlsidForADLog_CL
  connectorId: AlsidForAD
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e')]",
      "properties": {
        "alertRuleTemplateName": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e",
        "customDetails": null,
        "description": "'Searches for triggered Indicators of Exposures related to privileged accounts issues'\n",
        "displayName": "Alsid privileged accounts issues",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PrivilegedAccountIssues.yaml",
        "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}