Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Forescout-DNS_Sniff_Event_Monitor

Forescout-DNS_Sniff_Event_Monitor

Back
Idd272e277-f285-4dbc-ae2d-7f65ba64a79e
RulenameForescout-DNS_Sniff_Event_Monitor
DescriptionThis rule creates an incident when more than certain number of Dnsniff events are generated from a host
SeverityMedium
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
Version1.0.0
Arm templated272e277-f285-4dbc-ae2d-7f65ba64a79e.json
Deploy To Azure
ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s

queryFrequency: 5m
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
relevantTechniques: []
query: ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e
triggerOperator: gt
version: 1.0.0
customDetails:
  Ip: ipaddress
  EmIp: HostProperties_EmIpAddr_s
  NumEvents: NumEvents_d
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
queryPeriod: 5m
alertDetailsOverride:
  alertDescriptionFormat: Dnsniff-Address-Check alert
  alertDisplayNameFormat: Dnsniff-Address-Check
requiredDataConnectors: []
name: Forescout-DNS_Sniff_Event_Monitor
tactics: []
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Forescout-DNS_Sniff_Event_Monitor",
        "description": "This rule creates an incident when more than certain number of Dnsniff events are generated from a host",
        "severity": "Medium",
        "enabled": true,
        "query": "ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex \"DNS Query Type:.A;DNS Query/Response:.Query\" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "alertRuleTemplateName": "d272e277-f285-4dbc-ae2d-7f65ba64a79e",
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Dnsniff-Address-Check alert",
          "alertDisplayNameFormat": "Dnsniff-Address-Check"
        },
        "customDetails": {
          "Ip": "ipaddress",
          "EmIp": "HostProperties_EmIpAddr_s",
          "NumEvents": "NumEvents_d"
        },
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}