ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
severity: Medium
queryPeriod: 5m
name: Forescout-DNS_Sniff_Event_Monitor
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
entityMappings:
- fieldMappings:
- columnName: ipaddress
identifier: Address
entityType: IP
alertDetailsOverride:
alertDescriptionFormat: Dnsniff-Address-Check alert
alertDisplayNameFormat: Dnsniff-Address-Check
version: 2.0.0
relevantTechniques: []
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e
queryFrequency: 5m
triggerThreshold: 0
triggerOperator: gt
query: ForescoutHostProperties_CL | extend d = parse_json(HostProperties) | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, ""))) | where isnotempty(ipaddress) and isnotempty(EmIpAddr) | summarize NumEvents_d =count() by ipaddress, EmIpAddr | where NumEvents_d > 2 | sort by NumEvents_d asc | project NumEvents_d, ipaddress, EmIpAddr
customDetails:
NumEvents: NumEvents_d
Ip: ipaddress
EmIp: EmIpAddr
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
requiredDataConnectors: []
tactics: []
kind: Scheduled
