Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Missing Domain Controller Heartbeat

Missing Domain Controller Heartbeat

Back
Idb8b8ba09-1e89-45a1-8bd7-691cd23bfa32
RulenameMissing Domain Controller Heartbeat
DescriptionThis detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.
SeverityHigh
TacticsImpact
DefenseEvasion
TechniquesT1499
T1564
KindScheduled
Query frequency15m
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
Version1.0.5
Arm templateb8b8ba09-1e89-45a1-8bd7-691cd23bfa32.json
Deploy To Azure
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc

version: 1.0.5
name: Missing Domain Controller Heartbeat
metadata:
  categories:
    domains:
    - Security - Others
  author:
    name: Jose Sebastian Canos
  support:
    tier: Community
  source:
    kind: Community
  providers: Microsoft
tactics:
- Impact
- DefenseEvasion
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
relevantTechniques:
- T1499
- T1564
severity: High
kind: Scheduled
requiredDataConnectors: []
query: |
  let query_frequency = 15m;
  let missing_period = 1h;
  //Enter a reference list of hostnames for your DC servers
  let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
  //Alternatively, a Watchlist can be used
  //let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
  Heartbeat
  | summarize arg_max(TimeGenerated, *) by Computer
  | where Computer in (DCServersList)
  //You may specify the OS type of your Domain Controllers
  //| where OSType == 'Windows'
  | where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
  | project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
  | sort by TimeGenerated asc  
queryPeriod: 2h
entityMappings:
- fieldMappings:
  - columnName: Computer
    identifier: HostName
  entityType: Host
queryFrequency: 15m
triggerThreshold: 0
description: |
    'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32