ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
kind: Scheduled
alertDetailsOverride:
alertDescriptionFormat: Dnsniff-Address-Check alert
alertDisplayNameFormat: Dnsniff-Address-Check
queryFrequency: 5m
query: ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
relevantTechniques: []
entityMappings:
- entityType: IP
fieldMappings:
- columnName: ipaddress
identifier: Address
requiredDataConnectors: []
customDetails:
NumEvents: NumEvents_d
EmIp: EmIpAddr
Ip: ipaddress
name: Forescout-DNS_Sniff_Event_Monitor
triggerThreshold: 0
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
queryPeriod: 5m
version: 2.0.0
triggerOperator: gt
tactics: []
severity: Medium
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e
