Forum Discussion
Excessive lookup queries from DNS
I assume you meant for every KQL query executed in LA workspace there is DNS queries/activity observed, correct ?
What do the observed DNS lookup queries indicate in terms of FQDN/DNS records? and how did you establish that those DNS queries are related to queries executed in the Log Analytics workspace ?
- Pranesh1060Aug 25, 2020Brass Contributor
That post was written in a hurry, let me try to post the exact scenario
1) Random requests are getting generated from endpoint machines trying to connect to random suspicious domains. This has caused a surge in the number of requests made by endpoints via DNS servers to internet.
2) These alerts are getting generated from ASC and since it is connected with Sentinel, alerts are getting replicated.
Using the DG algorithm we come across a new domain every time there is a new alert. Now the question here is we do not have alerts from any other security tools, we tried scanning the machines but the results came clean. Not all the alerts are from one location or one particular endpoint.
Just wanted to know, if anyone here has faced something of this kind or probably would have suggestions as to how we can tackle these alerts. If there were any changes that were recently made on ASC that we are not aware of.