Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Forescout-DNS_Sniff_Event_Monitor

Back
Idd272e277-f285-4dbc-ae2d-7f65ba64a79e
RulenameForescout-DNS_Sniff_Event_Monitor
DescriptionThis rule creates an incident when more than certain number of Dnsniff events are generated from a host
SeverityMedium
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
Version1.0.1
Arm templated272e277-f285-4dbc-ae2d-7f65ba64a79e.json
Deploy To Azure
ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s
customDetails:
  Ip: ipaddress
  NumEvents: NumEvents_d
  EmIp: HostProperties_EmIpAddr_s
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml
id: d272e277-f285-4dbc-ae2d-7f65ba64a79e
name: Forescout-DNS_Sniff_Event_Monitor
query: ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s
entityMappings:
- fieldMappings:
  - columnName: ipaddress
    identifier: Address
  entityType: IP
queryPeriod: 5m
triggerThreshold: 0
tactics: []
version: 1.0.1
kind: Scheduled
relevantTechniques: []
queryFrequency: 5m
requiredDataConnectors: []
description: This rule creates an incident when more than certain number of Dnsniff events are generated from a host
alertDetailsOverride:
  alertDescriptionFormat: Dnsniff-Address-Check alert
  alertDisplayNameFormat: Dnsniff-Address-Check
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d272e277-f285-4dbc-ae2d-7f65ba64a79e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Dnsniff-Address-Check alert",
          "alertDisplayNameFormat": "Dnsniff-Address-Check"
        },
        "alertRuleTemplateName": "d272e277-f285-4dbc-ae2d-7f65ba64a79e",
        "customDetails": {
          "EmIp": "HostProperties_EmIpAddr_s",
          "Ip": "ipaddress",
          "NumEvents": "NumEvents_d"
        },
        "description": "This rule creates an incident when more than certain number of Dnsniff events are generated from a host",
        "displayName": "Forescout-DNS_Sniff_Event_Monitor",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipaddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml",
        "query": "ForescoutHostProperties_CL | where HostProperties_DnsniffEvent_s matches regex \"DNS Query Type:.A;DNS Query/Response:.Query\" | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s))) | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s | where NumEvents_d > 2 | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s) | sort by NumEvents_d asc | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}