Process: Adding and removing exceptions to the Missing Domain Controller Heartbeat Rule
When a change impacts a Domain Controller, it’s essential to include that Domain Controller in the exception lists to prevent the creation of False Positive Incidents.
Cyber Security manage Microsoft Sentinel and performs the process explained below.
Process:
1. Check the Change Window and set Calendar Dates Invites to the team for adding and removing exceptions for the Change.
Adding to Exemption List Process:
1. Go to Microsoft Sentinel -> Analytic Rules -> Click on Missing Domain Controller Heartbeat and then Edit –
(Direct Link to Analytic Rule – Missing Domain Controller Heartbeat)
https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/RuleEditor.ReactView/subscriptionId/c5b501f0-d7be-4167-a146-e724f5d2e662/resourceGroup/rg-sentinel-prd/workspaceName/la-sentinel-prd/trigger/edit/initiator/Analytics.ActiveRulesDetailsPanel.Edit/sourceId/7a5f3045-e081-4828-9510-a01d4a22120d/ruleKind/Scheduled
2. Click on “Set Rule Logic”
3. In the Rule Query, locate the affect Domain Controller (ex: “BEL-DC-01.mccc.mariecurie.local”)
4. Add in // before the affected Domain Controller (ex: //” BEL-DC-01.mccc.mariecurie.local”). This will comment out the DC from the KQL query.
5. Click on “Review and Create” and wait for the validation to complete.
6. Ensure that the Validation is passed. If it has not passed, look at the error as it shows you the Line where and what the error is.
7. Click on “Save”
Removing from Exemption List Process:
This process is the same as adding except you remove the //
1. Go to Microsoft Sentinel -> Analytic Rules -> Click on Missing Domain Controller Heartbeat and then Edit –
(Direct Link to Analytic Rule – Missing Domain Controller Heartbeat)
https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/RuleEditor.ReactView/subscriptionId/c5b501f0-d7be-4167-a146-e724f5d2e662/resourceGroup/rg-sentinel-prd/workspaceName/la-sentinel-prd/trigger/edit/initiator/Analytics.ActiveRulesDetailsPanel.Edit/sourceId/7a5f3045-e081-4828-9510-a01d4a22120d/ruleKind/Scheduled
2. Click on “Set Rule Logic”
3. In the Rule Query, locate the affected Domain Controller (ex: //“BEL-DC-01.mccc.mariecurie.local”)
4. Remove the // before the affected Domain Controller (ex: ” BEL-DC-01.mccc.mariecurie.local”). This will comment out the DC from the KQL query.
5. Click on “Review and Create” and wait for the validation to complete.
6. Click on Save