The Missing Domain Controller Heartbeat detection identifies potential adversary activity where Domain Controllers are not communicating with their agents, which could indicate compromise or exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect stealthy lateral movements or persistent adversaries disrupting domain controller communication.
KQL Query
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
id: b8b8ba09-1e89-45a1-8bd7-691cd23bfa32
name: Missing Domain Controller Heartbeat
description: |
'This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.'
severity: High
requiredDataConnectors: []
queryFrequency: 15m
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
- DefenseEvasion
relevantTechniques:
- T1499
- T1564
query: |
let query_frequency = 15m;
let missing_period = 1h;
//Enter a reference list of hostnames for your DC servers
let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
//Alternatively, a Watchlist can be used
//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer
| where Computer in (DCServersList)
//You may specify the OS type of your Domain Controllers
//| where OSType == 'Windows'
| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions
| sort by TimeGenerated asc
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Computer
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Jose Sebastian Canos
support:
tier: Community
providers: Microsoft
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
Heartbeat | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance or Reboot of Domain Controller
Description: A Domain Controller was recently rebooted as part of routine maintenance, and the agent is still initializing or reconnecting.
Filter/Exclusion: Exclude hosts where the last heartbeat was received within the last 15 minutes of the reboot time, or filter by hosts with a known maintenance window.
Scenario: Agent Configuration Change or Reinstall
Description: The agent on the Domain Controller was reinstalled or reconfigured, causing a temporary loss of heartbeat.
Filter/Exclusion: Exclude hosts where the agent version or configuration was recently changed, or where the heartbeat was last received within the last 5 minutes of the configuration change.
Scenario: Network Connectivity Issues During Peak Hours
Description: Network congestion or routing issues caused a temporary loss of heartbeat from a Domain Controller during peak traffic times.
Filter/Exclusion: Exclude hosts where network latency or packet loss was detected during the same timeframe, or where heartbeat was received within the last 10 minutes of the network issue.
Scenario: Active Directory Replication or Schema Update
Description: A replication or schema update is in progress on the Domain Controller, causing the agent to temporarily lose heartbeat.
Filter/Exclusion: Exclude hosts where replication or schema update tasks are running, or where heartbeat was received within the last 5 minutes of the task start.
Scenario: False Positive from a Non-DC Agent Misconfigured as DC
Description: An agent from a non-DC server was mistakenly configured to report as a Domain Controller, leading to false heartbeat alerts.
Filter/Exclusion: Exclude hosts that are not listed in the Active Directory Domain Controllers list, or filter by hosts with the correct DC role assigned in AD.