Semperis Lightning: New Active Directory Security Monitoring Platform Added to Content Hub

Data Source

Semperis Lightning is an Active Directory security platform that provides tier-0 privilege escalation monitoring, attack path analysis, and identity governance visibility. The platform offers comprehensive coverage of high-risk AD attack vectors including golden ticket detection, DCSync monitoring, and privileged credential usage tracking.

Ingestion Mechanism

Function App-based connector (Python 3.11) with hourly collection schedule. Creates 7 custom Log Analytics tables (with _CL suffix) via Data Collection Rules (DCR) and endpoints (DCE). Uses Azure Key Vault for API credential storage and managed identity for secure authentication to Azure Monitor APIs.

Data Streams

• Tier0 Nodes (LightningTier0Nodes_CL) — Identity graph nodes with privilege escalation risk scores
• Attack Paths (LightningAttackPaths_CL) — Calculated privilege escalation attack chains
• Attack Path Links (LightningAttackPathLinks_CL) — Relationship mappings between attack path components
• Tier0 Attackers (LightningTier0Attackers_CL) — Zone access objects with tier-0 privileges
• Indicator Executions (LightningIndicatorExecutions_CL) — IoE (Indicators of Exposure) execution events
• IoE Metadata (LightningIOEsMetadata_CL) — IoE rule definitions and configuration
• IoE Results (LightningIOEResults_CL) — IoE detection findings and risk assessments

Security Impact (Visibility Unlocked)

This connector addresses a critical detection gap in Active Directory tier-0 monitoring. Organizations gain real-time visibility into privilege escalation attack paths that traditional SIEM solutions cannot detect through log analysis alone. The platform identity graph analysis reveals lateral movement opportunities and credential exposure risks that would otherwise remain invisible until exploitation occurs.

Key detection surfaces enabled:

• Golden ticket usage — Detects forged Kerberos tickets bypassing normal authentication
• DCSync abuse — Monitors unauthorized Active Directory replication requests
• Shadow admin discovery — Identifies hidden privileged accounts and nested group memberships
• Attack path enumeration — Maps viable privilege escalation routes to domain admin
• Credential exposure tracking — Monitors service accounts and privileged credentials at risk

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/LightningAttackPathLinks_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningAttackPaths_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningIOEResults_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningIOEsMetadata_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningIndicatorExecutions_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningTier0Attackers_CL.json
.script/tests/KqlvalidationsTests/CustomTables/LightningTier0Nodes_CL.json
Solutions/SemperisLightning/Data Connectors/Logos/semperis.svg
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/__init__.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/function.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/local.settings.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_attack_paths.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_execution_results.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_executions.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_metadata.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_attackers.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_nodes.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/SemperisLightningLogs_AzureFunction.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/azuredeploy_Connector_SemperisLightning_AzureFunction.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/createUiDef.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/host.json
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/requirements.txt
Solutions/SemperisLightning/Package/testParameters.json
Solutions/SemperisLightning/README.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SemperisLightning.zip, SolutionMetadata.json, Solution_SemperisLightning.json, createUiDefinition.json, mainTemplate.json)