Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Semperis DSP RBAC Changes

Back
Ide5edf3f3-de53-45e6-b0d7-1ce1c048df4a
RulenameSemperis DSP RBAC Changes
DescriptionAlerts when there are RBAC changes in the DSP system.
SeverityMedium
TacticsPrivilegeEscalation
Persistence
TechniquesT1548
T1098
Required data connectorsSemperisDSP
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_RBAC_Changes.yaml
Version1.1.1
Arm templatee5edf3f3-de53-45e6-b0d7-1ce1c048df4a.json
Deploy To Azure
Event 
| where Source == 'Semperis-Operation-Log' and EventID == 20012 
| order by TimeGenerated desc
| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array p1Xml
| evaluate bag_unpack(p1Xml)
| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
| extend det = column_ifexists('details', '')
| parse det with "Occured at (UTC): " OccurredAt "Session ID: " SessionID "Trustee Name: " TrusteeName "Correlation ID: " CorrelationID "Source: " Source "WebSite Target: " WebSiteTarget "Product: " Product "Component: " Component "AD Information: " ADInformation "Object GUID: " ObjectGUID "Attribute: " Attribute "Distinguished Name: " DistinguishedName "Additional Information: "AdditionalInformation "Operation Detail: " OperationDetail "operationName: " operationName "trustee: " trustee "personas: " personas "Status: " status "Granted: " Granted "Result: " Result
| extend _AccessGranted = iif(operationName contains "CreateRbacIdentity", "Added", "Removed")
| extend _Identity = iif(operationName contains "CreateRbacIdentity", trustee, tostring(substring(trustee, 1, strlen(trustee))))
| extend _Identity = iif(operationName contains "CreateRbacIdentity", _Identity, replace_string(_Identity, "'", ""))
| extend add_personas = replace_string(replace_string(replace_string(personas, "{ Name = ", ""), " }", ""), ";", ",")
| extend remove_personas = replace_string(personas, ";", ",")
| extend grid_personas = iif(operationName contains "CreateRbacIdentity", add_personas, remove_personas)
| extend date_to_sort = format_datetime(TimeGenerated, "yyyy-mm-dd   HH:mm:ss")
| order by date_to_sort desc
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
name: Semperis DSP RBAC Changes
alertDetailsOverride:
  alertDisplayNameFormat: RBAC Change -- Alert from Semperis Directory Services Protector
  alertDescriptionFormat: A RBAC change was detected in the DSP system.
severity: Medium
queryFrequency: 30m
triggerOperator: gt
relevantTechniques:
- T1548
- T1098
status: Available
description: |
    'Alerts when there are RBAC changes in the DSP system.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_RBAC_Changes.yaml
requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: LoginUser
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
tactics:
- PrivilegeEscalation
- Persistence
queryPeriod: 30m
query: |
  Event 
  | where Source == 'Semperis-Operation-Log' and EventID == 20012 
  | order by TimeGenerated desc
  | extend p1Xml = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array p1Xml
  | evaluate bag_unpack(p1Xml)
  | extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')
  | extend det = column_ifexists('details', '')
  | parse det with "Occured at (UTC): " OccurredAt "Session ID: " SessionID "Trustee Name: " TrusteeName "Correlation ID: " CorrelationID "Source: " Source "WebSite Target: " WebSiteTarget "Product: " Product "Component: " Component "AD Information: " ADInformation "Object GUID: " ObjectGUID "Attribute: " Attribute "Distinguished Name: " DistinguishedName "Additional Information: "AdditionalInformation "Operation Detail: " OperationDetail "operationName: " operationName "trustee: " trustee "personas: " personas "Status: " status "Granted: " Granted "Result: " Result
  | extend _AccessGranted = iif(operationName contains "CreateRbacIdentity", "Added", "Removed")
  | extend _Identity = iif(operationName contains "CreateRbacIdentity", trustee, tostring(substring(trustee, 1, strlen(trustee))))
  | extend _Identity = iif(operationName contains "CreateRbacIdentity", _Identity, replace_string(_Identity, "'", ""))
  | extend add_personas = replace_string(replace_string(replace_string(personas, "{ Name = ", ""), " }", ""), ";", ",")
  | extend remove_personas = replace_string(personas, ";", ",")
  | extend grid_personas = iif(operationName contains "CreateRbacIdentity", add_personas, remove_personas)
  | extend date_to_sort = format_datetime(TimeGenerated, "yyyy-mm-dd   HH:mm:ss")
  | order by date_to_sort desc
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
version: 1.1.1
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
id: e5edf3f3-de53-45e6-b0d7-1ce1c048df4a
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e5edf3f3-de53-45e6-b0d7-1ce1c048df4a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e5edf3f3-de53-45e6-b0d7-1ce1c048df4a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A RBAC change was detected in the DSP system.",
          "alertDisplayNameFormat": "RBAC Change -- Alert from Semperis Directory Services Protector"
        },
        "alertRuleTemplateName": "e5edf3f3-de53-45e6-b0d7-1ce1c048df4a",
        "customDetails": null,
        "description": "'Alerts when there are RBAC changes in the DSP system.'\n",
        "displayName": "Semperis DSP RBAC Changes",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "LoginUser",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/Semperis_DSP_RBAC_Changes.yaml",
        "query": "Event \n| where Source == 'Semperis-Operation-Log' and EventID == 20012 \n| order by TimeGenerated desc\n| extend p1Xml = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array p1Xml\n| evaluate bag_unpack(p1Xml)\n| extend Name=column_ifexists('@Name', ''), Value=column_ifexists('#text', '')\n| extend det = column_ifexists('details', '')\n| parse det with \"Occured at (UTC): \" OccurredAt \"Session ID: \" SessionID \"Trustee Name: \" TrusteeName \"Correlation ID: \" CorrelationID \"Source: \" Source \"WebSite Target: \" WebSiteTarget \"Product: \" Product \"Component: \" Component \"AD Information: \" ADInformation \"Object GUID: \" ObjectGUID \"Attribute: \" Attribute \"Distinguished Name: \" DistinguishedName \"Additional Information: \"AdditionalInformation \"Operation Detail: \" OperationDetail \"operationName: \" operationName \"trustee: \" trustee \"personas: \" personas \"Status: \" status \"Granted: \" Granted \"Result: \" Result\n| extend _AccessGranted = iif(operationName contains \"CreateRbacIdentity\", \"Added\", \"Removed\")\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", trustee, tostring(substring(trustee, 1, strlen(trustee))))\n| extend _Identity = iif(operationName contains \"CreateRbacIdentity\", _Identity, replace_string(_Identity, \"'\", \"\"))\n| extend add_personas = replace_string(replace_string(replace_string(personas, \"{ Name = \", \"\"), \" }\", \"\"), \";\", \",\")\n| extend remove_personas = replace_string(personas, \";\", \",\")\n| extend grid_personas = iif(operationName contains \"CreateRbacIdentity\", add_personas, remove_personas)\n| extend date_to_sort = format_datetime(TimeGenerated, \"yyyy-mm-dd   HH:mm:ss\")\n| order by date_to_sort desc\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), LoginUser = tostring(split(UserName, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098",
          "T1548"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}