Forum Discussion
SpeedRacer
Mar 28, 2023Brass Contributor
DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled?
This doc - Understand the advanced hunting schema - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
- josequintinoIron ContributorYour understanding is correct. When you have Device Filtering for Endpoints (DFE) enabled, DNS query events from DFE endpoints should typically appear in the DeviceNetworkEvents schema table, not the IdentityQueryEvents table.
The DeviceNetworkEvents table contains information about network-related events, including DNS queries, from devices that are being monitored. This table is more suitable for capturing DNS query events from DFE endpoints.
On the other hand, the IdentityQueryEvents table is designed to capture query events for Active Directory objects such as users, groups, devices, and domains. These are events that involve Active Directory queries, not DNS queries. As a result, you should not expect to see DNS query events from DFE endpoints in the IdentityQueryEvents table.
Keep in mind that schema definitions and table names might change over time as the platform evolves. To get the most up-to-date information, it's always a good idea to refer to the latest documentation available for the product. - BillTheKidBrass Contributor
SpeedRacer theoretically yes, but there might be edge-cases where some DNS requests won't be visible on MDI but rather on MDE, depending on what DNS server is used.
For MDE use ActionType: DnsQueryRequest
For MDI use ActionType: DNS query
I would suggest putting up usecases on both datasources.
- SpeedRacerBrass ContributorTYVM for the reply and info