Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - DMARC Policy Weakened to None

Valimail Enforce - DMARC Policy Weakened to None

Back
Id44ec1fa4-a502-41ae-879a-3aad3557edce
RulenameValimail Enforce - DMARC Policy Weakened to None
DescriptionThis query searches for DMARC policies changed to ’none’, which disables enforcement

and leaves the domain vulnerable to spoofing and phishing attacks.
SeverityHigh
TacticsDefenseEvasion
InitialAccess
TechniquesT1566
T1562
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
Version1.0.0
Arm template44ec1fa4-a502-41ae-879a-3aad3557edce.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventSeverity == "High"
| where EventType == "dmarc_policy_set_to_none"
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    Changes = make_set(EventChange)
  by Subject, User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1]),
    DomainName = Subject

relevantTechniques:
- T1566
- T1562
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: UPNSuffix
- entityType: DNS
  fieldMappings:
  - columnName: DomainName
    identifier: DomainName
version: 1.0.0
id: 44ec1fa4-a502-41ae-879a-3aad3557edce
severity: High
kind: Scheduled
queryFrequency: 1h
description: |
  This query searches for DMARC policies changed to 'none', which disables enforcement
  and leaves the domain vulnerable to spoofing and phishing attacks.  
requiredDataConnectors:
- connectorId: ValimailEnforce
  dataTypes:
  - ValimailEnforceEvents_CL
triggerOperator: gt
name: Valimail Enforce - DMARC Policy Weakened to None
tactics:
- DefenseEvasion
- InitialAccess
alertDetailsOverride:
  alertDescriptionFormat: |
    The DMARC policy for domain '{{Subject}}' was set to 'none' by '{{User}}',
    disabling email authentication enforcement. This may expose the domain to spoofing.    
  alertDisplayNameFormat: DMARC policy set to NONE on domain {{Subject}} by {{User}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  ValimailEnforceEvents_CL
  | where EventSeverity == "High"
  | where EventType == "dmarc_policy_set_to_none"
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      Changes = make_set(EventChange)
    by Subject, User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1]),
      DomainName = Subject  
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - DNS
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1d