Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Alsid user accounts issues

Alsid user accounts issues

Back
Idfb9e0b51-8867-48d7-86f4-6e76f2176bf8
RulenameAlsid user accounts issues
DescriptionSearches for triggered Indicators of Exposures related to user accounts issues
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAlsidForAD
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/UserAccountIssues.yaml
Version1.0.1
Arm templatefb9e0b51-8867-48d7-86f4-6e76f2176bf8.json
Deploy To Azure
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
let codeNameList = datatable(Codename:string)["C-ACCOUNTS-DANG-SID-HISTORY", "C-PRE-WIN2000-ACCESS-MEMBERS", "C-PASSWORD-DONT-EXPIRE", "C-SLEEPING-ACCOUNTS", "C-DANG-PRIMGROUPID", "C-PASSWORD-NOT-REQUIRED", "C-USER-PASSWORD"];
afad_parser
| where MessageType == 0 and Codename in~ (codeNameList)
| lookup kind=leftouter SeverityTable on Severity
| order by Level
| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Alsid user accounts issues
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/UserAccountIssues.yaml
queryPeriod: 2h
severity: Low
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
queryFrequency: 2h
relevantTechniques:
- T1110
requiredDataConnectors:
- dataTypes:
  - AlsidForADLog_CL
  connectorId: AlsidForAD
description: |
    'Searches for triggered Indicators of Exposures related to user accounts issues'
tactics:
- CredentialAccess
query: |
  let SeverityTable=datatable(Severity:string,Level:int) [
  "low", 1,
  "medium", 2,
  "high", 3,
  "critical", 4
  ];
  let codeNameList = datatable(Codename:string)["C-ACCOUNTS-DANG-SID-HISTORY", "C-PRE-WIN2000-ACCESS-MEMBERS", "C-PASSWORD-DONT-EXPIRE", "C-SLEEPING-ACCOUNTS", "C-DANG-PRIMGROUPID", "C-PASSWORD-NOT-REQUIRED", "C-USER-PASSWORD"];
  afad_parser
  | where MessageType == 0 and Codename in~ (codeNameList)
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
  | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))  
id: fb9e0b51-8867-48d7-86f4-6e76f2176bf8
version: 1.0.1

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb9e0b51-8867-48d7-86f4-6e76f2176bf8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb9e0b51-8867-48d7-86f4-6e76f2176bf8')]",
      "properties": {
        "alertRuleTemplateName": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8",
        "customDetails": null,
        "description": "'Searches for triggered Indicators of Exposures related to user accounts issues'\n",
        "displayName": "Alsid user accounts issues",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/UserAccountIssues.yaml",
        "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}