Missing Domain Controller Heartbeat
Id | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 |
Rulename | Missing Domain Controller Heartbeat |
Description | This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago. |
Severity | High |
Tactics | Impact DefenseEvasion |
Techniques | T1499 T1564 |
Kind | Scheduled |
Query frequency | 15m |
Query period | 2h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml |
Version | 1.0.5 |
Arm template | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32.json |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
requiredDataConnectors: []
triggerThreshold: 0
relevantTechniques:
- T1499
- T1564
queryPeriod: 2h
version: 1.0.5
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
query: |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
metadata:
support:
tier: Community
providers: Microsoft
categories:
domains:
- Security - Others
source:
kind: Community
author:
name: Jose Sebastian Canos
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: Computer
entityType: Host
tactics:
- Impact
- DefenseEvasion
severity: High
name: Missing Domain Controller Heartbeat
queryFrequency: 15m
triggerOperator: gt
kind: Scheduled
description: |
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"properties": {
"alertRuleTemplateName": "b8b8ba09-1e89-45a1-8bd7-691cd23bfa32",
"customDetails": null,
"description": "'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'\n",
"displayName": "Missing Domain Controller Heartbeat",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml",
"query": "let query_frequency = 15m;\nlet missing_period = 1h;\n//Enter a reference list of hostnames for your DC servers\nlet DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\n//Alternatively, a Watchlist can be used\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;\nHeartbeat\n| summarize arg_max(TimeGenerated, *) by Computer\n| where Computer in (DCServersList)\n//You may specify the OS type of your Domain Controllers\n//| where OSType == 'Windows'\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\n| sort by TimeGenerated asc\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1499",
"T1564"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}