Semperis¶
About¶
Semperis offers the industry’s most comprehensive defense for on-prem AD and Azure AD (Entra ID), bar none.
Product Details¶
Vendor URL: Semperis
Product Type: DSP
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Not available
Log Guide: N\A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: SEMPERIS_DSP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| MECHANISM_UNSPECIFIED | extensions.auth.mechanism |
| Directory Services Protector | metadata.product_name |
| Semperis | metadata.vendor_name |
| event | metadata.product_event_type |
| application | observer.application |
| server | observer.hostname |
| ChangeId | observer.labels |
| src_app, OperationSource | principal.application |
| PartintionNamingContext | principal.administrative_domain |
| OriginatingServer | principal.domain.name_server |
| StringValueFrom, OriginatingServer | principal.hostname |
| StringValueFrom, OperationSrouce | principal.ip |
| StringValueFrom | principal.resource.attribute.last_update_time |
| DistringuishedName | principal.resource.name |
| PartitionNamingContext | principal.resource.parent |
| ForestId | principal.resource.product_object_id |
| DEVICE, SETTING, UNSPECIFIED | principal.resource.resource_type |
| Type, ClassName | principal.resource.resource_subtype |
| OriginatingUsers | principal.user.userid |
| ALLOW, ALLOW_WITH_MODIFICATION, BLOCK | security_result.action |
| ObjectModificationType | security_result.action_details |
| OperationTarget | target.application |
| ValidUntil | target.domain.expiration_time |
| x_host, StringValueTo | target.hostname |
| x_ip, IPv4, StringValueTo | target.ip |
| StringValueTo | target.resource.attribute.last_update_time |
| DistinguishedName | target.resource.name |
| DEVICE, SETTING, UNSPECIFIED | target.resource.resource_type |
| Type | target.resource.resource_subtype |
| TrusteeName | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| LoginDSP | USER_LOGIN |
| all others | GENERIC_EVENT |
Log Sample¶
<110>Mar 12 11:40:37 hostname.admin_domain.subdomain.domain.com Semperis.DSP [AdChanges@111] [ForestId] forestid11111 [ChangeId] 14945284 [PartitionNamingContext] DC=admin_domain,DC=subdomain,DC=domain,DC=com [DistinguishedName] CN=timestamp{UID},CN=commonname,OU=ouName,OU=ouName,OU=domain,DC=admin_domian,DC=subdomain,DC=domain,DC=com [ClassName] classname [AttributeName] objectCategory [ObjectModificationType] CreateObject [AttributeModificationType] Modify [LinkedValueDN] [ValidUntil] 2100-01-01T00:00:00.000Z [OriginatingServer] host.admin_doman.subdomain.domain.com [OriginatingTime] 2024-03-12T15:44:17.000Z [OriginatingUsers] DOMAIN\USER; [OriginatingUserWorkstations] [StringValueFrom] [StringValueTo] CN=commonName,CN=Schema,CN=Configuration,DC=subdomain,DC=DomainName,DC=com
Sample Parsing¶
observer.application = "Semperis.DSP"
observer.hostname = "hostname.admin_domain.subdomain.domain.com"
principal.administrative_domain = "admin_domain"
principal.domain.name_server = "hostname.admin_domain.subdomain.domain.com"
principal.hostname = "hostname.admin_domain.subdomain.domain.com"
principal.resource.name = "CN=2024-03-12T10:44:16-06:00{C4D58D13-325D-4AAA-BF6E-3EDE3F9274C1},CN=commonName,OU=ouName,OU=ouName,OU=ouName,DC=admin_domain,DC=subdomain,DC=domain,DC=com"
principal.resource.parent = "DC=admin_name,DC=subdomain,DC=domain,DC=com"
principal.resource.product_object_id = "forestid11111"
principal.resource.resource_subtype = "clasname"
principal.user.userid = "DOMAIN\\USER"
security_result.action_details = "CreateObject"
security_result.action = "ALLOW_WITH_MODIFICATION"
target.domain.expiration_time.seconds = 1704067200
target.domain.expiration_time.nanos = 0
Rules¶
Coming Soon