Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - DMARC Policy Weakened to None

Valimail Enforce - DMARC Policy Weakened to None

Back
Id44ec1fa4-a502-41ae-879a-3aad3557edce
RulenameValimail Enforce - DMARC Policy Weakened to None
DescriptionThis query searches for DMARC policies changed to ’none’, which disables enforcement

and leaves the domain vulnerable to spoofing and phishing attacks.
SeverityHigh
TacticsDefenseEvasion
InitialAccess
TechniquesT1566
T1562
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
Version1.0.0
Arm template44ec1fa4-a502-41ae-879a-3aad3557edce.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventSeverity == "High"
| where EventType == "dmarc_policy_set_to_none"
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    Changes = make_set(EventChange)
  by Subject, User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1]),
    DomainName = Subject

id: 44ec1fa4-a502-41ae-879a-3aad3557edce
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: DomainName
    columnName: DomainName
  entityType: DNS
requiredDataConnectors:
- dataTypes:
  - ValimailEnforceEvents_CL
  connectorId: ValimailEnforce
queryFrequency: 1h
alertDetailsOverride:
  alertDisplayNameFormat: DMARC policy set to NONE on domain {{Subject}} by {{User}}
  alertDescriptionFormat: |
    The DMARC policy for domain '{{Subject}}' was set to 'none' by '{{User}}',
    disabling email authentication enforcement. This may expose the domain to spoofing.    
queryPeriod: 1h
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByEntities:
    - DNS
    enabled: true
  createIncident: true
query: |
  ValimailEnforceEvents_CL
  | where EventSeverity == "High"
  | where EventType == "dmarc_policy_set_to_none"
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      Changes = make_set(EventChange)
    by Subject, User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1]),
      DomainName = Subject  
name: Valimail Enforce - DMARC Policy Weakened to None
kind: Scheduled
tactics:
- DefenseEvasion
- InitialAccess
severity: High
relevantTechniques:
- T1566
- T1562
triggerThreshold: 0
version: 1.0.0
description: |
  This query searches for DMARC policies changed to 'none', which disables enforcement
  and leaves the domain vulnerable to spoofing and phishing attacks.