Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Forescout-DNS_Sniff_Event_Monitor

Forescout-DNS_Sniff_Event_Monitor

Back
Idd272e277-f285-4dbc-ae2d-7f65ba64a79e
RulenameForescout-DNS_Sniff_Event_Monitor
DescriptionThis rule creates an incident when more than certain number of Dnsniff events are generated from a host
SeverityMedium
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
Version1.0.0
Arm templated272e277-f285-4dbc-ae2d-7f65ba64a79e.json
Deploy To Azure
ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s

version: 1.0.0
name: Forescout-DNS_Sniff_Event_Monitor
severity: Medium
queryFrequency: 5m
kind: Scheduled
queryPeriod: 5m
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
query: ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s
tactics: []
triggerOperator: gt
customDetails:
  EmIp: HostProperties_EmIpAddr_s
  Ip: ipaddress
  NumEvents: NumEvents_d
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
requiredDataConnectors: []
relevantTechniques: []
alertDetailsOverride:
  alertDisplayNameFormat: Dnsniff-Address-Check
  alertDescriptionFormat: Dnsniff-Address-Check alert
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Forescout-DNS_Sniff_Event_Monitor",
        "description": "This rule creates an incident when more than certain number of Dnsniff events are generated from a host",
        "severity": "Medium",
        "enabled": true,
        "query": "ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex \"DNS Query Type:.A;DNS Query/Response:.Query\" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "alertRuleTemplateName": "d272e277-f285-4dbc-ae2d-7f65ba64a79e",
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Dnsniff-Address-Check",
          "alertDescriptionFormat": "Dnsniff-Address-Check alert"
        },
        "customDetails": {
          "EmIp": "HostProperties_EmIpAddr_s",
          "NumEvents": "NumEvents_d",
          "Ip": "ipaddress"
        },
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml"
      }
    }
  ]
}