Missing Domain Controller Heartbeat
Id | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 |
Rulename | Missing Domain Controller Heartbeat |
Description | This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago. |
Severity | High |
Tactics | Impact DefenseEvasion |
Techniques | T1499 T1564 |
Kind | Scheduled |
Query frequency | 15m |
Query period | 2h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml |
Version | 1.0.5 |
Arm template | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32.json |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
description: |
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
tactics:
- Impact
- DefenseEvasion
query: |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
triggerOperator: gt
entityMappings:
- fieldMappings:
- columnName: Computer
identifier: HostName
entityType: Host
metadata:
categories:
domains:
- Security - Others
support:
tier: Community
providers: Microsoft
source:
kind: Community
author:
name: Jose Sebastian Canos
version: 1.0.5
triggerThreshold: 0
queryPeriod: 2h
kind: Scheduled
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
queryFrequency: 15m
severity: High
name: Missing Domain Controller Heartbeat
relevantTechniques:
- T1499
- T1564
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"properties": {
"alertRuleTemplateName": "b8b8ba09-1e89-45a1-8bd7-691cd23bfa32",
"customDetails": null,
"description": "'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'\n",
"displayName": "Missing Domain Controller Heartbeat",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml",
"query": "let query_frequency = 15m;\nlet missing_period = 1h;\n//Enter a reference list of hostnames for your DC servers\nlet DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\n//Alternatively, a Watchlist can be used\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;\nHeartbeat\n| summarize arg_max(TimeGenerated, *) by Computer\n| where Computer in (DCServersList)\n//You may specify the OS type of your Domain Controllers\n//| where OSType == 'Windows'\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\n| sort by TimeGenerated asc\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1499",
"T1564"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}