Missing Domain Controller Heartbeat

Back


Id	b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
Rulename	Missing Domain Controller Heartbeat
Description	This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.
Severity	High
Tactics	Impact DefenseEvasion
Techniques	T1499 T1564
Kind	Scheduled
Query frequency	15m
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
Version	1.0.5
Arm template	b8b8ba09-1e89-45a1-8bd7-691cd23bfa32.json

KQL

let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc

YAML

description: |
    'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
tactics:
- Impact
- DefenseEvasion
query: |
  let query_frequency = 15m;
  let missing_period = 1h;
  //Enter a reference list of hostnames for your DC servers
  let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
  //Alternatively, a Watchlist can be used
  //let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
  Heartbeat
  | summarize arg_max(TimeGenerated, *) by Computer
  | where Computer in (DCServersList)
  //You may specify the OS type of your Domain Controllers
  //| where OSType == 'Windows'
  | where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
  | project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
  | sort by TimeGenerated asc  
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: Computer
    identifier: HostName
  entityType: Host
metadata:
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  providers: Microsoft
  source:
    kind: Community
  author:
    name: Jose Sebastian Canos
version: 1.0.5
triggerThreshold: 0
queryPeriod: 2h
kind: Scheduled
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
queryFrequency: 15m
severity: High
name: Missing Domain Controller Heartbeat
relevantTechniques:
- T1499
- T1564

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
      "properties": {
        "alertRuleTemplateName": "b8b8ba09-1e89-45a1-8bd7-691cd23bfa32",
        "customDetails": null,
        "description": "'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'\n",
        "displayName": "Missing Domain Controller Heartbeat",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml",
        "query": "let query_frequency = 15m;\nlet missing_period = 1h;\n//Enter a reference list of hostnames for your DC servers\nlet DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\n//Alternatively, a Watchlist can be used\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;\nHeartbeat\n| summarize arg_max(TimeGenerated, *) by Computer\n| where Computer in (DCServersList)\n//You may specify the OS type of your Domain Controllers\n//| where OSType == 'Windows'\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\n| sort by TimeGenerated asc\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT2H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1499",
          "T1564"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}