Missing Domain Controller Heartbeat
Id | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32 |
Rulename | Missing Domain Controller Heartbeat |
Description | This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago. |
Severity | High |
Tactics | Impact DefenseEvasion |
Techniques | T1499 T1564 |
Kind | Scheduled |
Query frequency | 15m |
Query period | 2h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml |
Version | 1.0.5 |
Arm template | b8b8ba09-1e89-45a1-8bd7-691cd23bfa32.json |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
metadata:
categories:
domains:
- Security - Others
author:
name: Jose Sebastian Canos
providers: Microsoft
source:
kind: Community
support:
tier: Community
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
query: |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml
description: |
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
name: Missing Domain Controller Heartbeat
relevantTechniques:
- T1499
- T1564
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Computer
triggerThreshold: 0
severity: High
requiredDataConnectors: []
queryFrequency: 15m
queryPeriod: 2h
version: 1.0.5
kind: Scheduled
tactics:
- Impact
- DefenseEvasion
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32')]",
"properties": {
"alertRuleTemplateName": "b8b8ba09-1e89-45a1-8bd7-691cd23bfa32",
"customDetails": null,
"description": "'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'\n",
"displayName": "Missing Domain Controller Heartbeat",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "HostName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/MissingDCHearbeat.yaml",
"query": "let query_frequency = 15m;\nlet missing_period = 1h;\n//Enter a reference list of hostnames for your DC servers\nlet DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\n//Alternatively, a Watchlist can be used\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;\nHeartbeat\n| summarize arg_max(TimeGenerated, *) by Computer\n| where Computer in (DCServersList)\n//You may specify the OS type of your Domain Controllers\n//| where OSType == 'Windows'\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\n| sort by TimeGenerated asc\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1499",
"T1564"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}