DFI/DFE and IdentityQueryEvents DNS events

Brass Contributor

Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled?


This doc - Understand the advanced hunting schema  - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.

3 Replies

@SpeedRacer theoretically yes, but there might be edge-cases where some DNS requests won't be visible on MDI but rather on MDE, depending on what DNS server is used.


For MDE use ActionType: DnsQueryRequest

For MDI use ActionType: DNS query


I would suggest putting up usecases on both datasources.

TYVM for the reply and info
Your understanding is correct. When you have Device Filtering for Endpoints (DFE) enabled, DNS query events from DFE endpoints should typically appear in the DeviceNetworkEvents schema table, not the IdentityQueryEvents table.

The DeviceNetworkEvents table contains information about network-related events, including DNS queries, from devices that are being monitored. This table is more suitable for capturing DNS query events from DFE endpoints.

On the other hand, the IdentityQueryEvents table is designed to capture query events for Active Directory objects such as users, groups, devices, and domains. These are events that involve Active Directory queries, not DNS queries. As a result, you should not expect to see DNS query events from DFE endpoints in the IdentityQueryEvents table.

Keep in mind that schema definitions and table names might change over time as the platform evolves. To get the most up-to-date information, it's always a good idea to refer to the latest documentation available for the product.