Forum Discussion

mj-ho's avatar
mj-ho
Copper Contributor
Aug 19, 2021

Azure Sentinel DNS Search query

Hello everyone,

 

I am looking for a way to search for specific domain names in the DNS query logs sent to Azure Sentinal.

I can see all the DNS requests presents in the workbooks showing things like the top looked up domains but i havnt been able to create a query that looks through all the logs for 1 or more specific domains.

  • m_zorich's avatar
    m_zorich
    Iron Contributor
    For one domain

    DnsEvents
    | where SubType == "LookupQuery"
    | where Name == "domain.com"

    for multiples

    DnsEvents
    | where SubType == "LookupQuery"
    | where Name in ('domain1.com','domain2.com')


Resources