Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - DMARC Policy Weakened to None

Valimail Enforce - DMARC Policy Weakened to None

Back
Id44ec1fa4-a502-41ae-879a-3aad3557edce
RulenameValimail Enforce - DMARC Policy Weakened to None
DescriptionThis query searches for DMARC policies changed to ’none’, which disables enforcement

and leaves the domain vulnerable to spoofing and phishing attacks.
SeverityHigh
TacticsDefenseEvasion
InitialAccess
TechniquesT1566
T1562
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
Version1.0.0
Arm template44ec1fa4-a502-41ae-879a-3aad3557edce.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventSeverity == "High"
| where EventType == "dmarc_policy_set_to_none"
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    Changes = make_set(EventChange)
  by Subject, User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1]),
    DomainName = Subject

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  ValimailEnforceEvents_CL
  | where EventSeverity == "High"
  | where EventType == "dmarc_policy_set_to_none"
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      Changes = make_set(EventChange)
    by Subject, User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1]),
      DomainName = Subject  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_DMARCPolicyWeakened.yaml
tactics:
- DefenseEvasion
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountDomain
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DomainName
requiredDataConnectors:
- connectorId: ValimailEnforce
  dataTypes:
  - ValimailEnforceEvents_CL
alertDetailsOverride:
  alertDescriptionFormat: |
    The DMARC policy for domain '{{Subject}}' was set to 'none' by '{{User}}',
    disabling email authentication enforcement. This may expose the domain to spoofing.    
  alertDisplayNameFormat: DMARC policy set to NONE on domain {{Subject}} by {{User}}
relevantTechniques:
- T1566
- T1562
description: |
  This query searches for DMARC policies changed to 'none', which disables enforcement
  and leaves the domain vulnerable to spoofing and phishing attacks.  
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: 1d
    groupByEntities:
    - DNS
  createIncident: true
name: Valimail Enforce - DMARC Policy Weakened to None
version: 1.0.0
kind: Scheduled
id: 44ec1fa4-a502-41ae-879a-3aad3557edce
severity: High