ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
queryPeriod: 5m
version: 2.0.0
entityMappings:
- fieldMappings:
- identifier: Address
columnName: ipaddress
entityType: IP
alertDetailsOverride:
alertDescriptionFormat: Dnsniff-Address-Check alert
alertDisplayNameFormat: Dnsniff-Address-Check
customDetails:
Ip: ipaddress
NumEvents: NumEvents_d
EmIp: EmIpAddr
queryFrequency: 5m
triggerOperator: gt
kind: Scheduled
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e
tactics: []
query: ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
requiredDataConnectors: []
triggerThreshold: 0
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
name: Forescout-DNS_Sniff_Event_Monitor
severity: Medium
relevantTechniques: []
