Oct 02 2024 09:52 AM
I have noticed that we see quite a few endpoints that are triggering the Excessive NXDOMAIN DNS Queries anomaly analytics rule in Microsoft Sentinel. When I investigate these for tuning purposes, I see that the vast majority of these queries (in the in-addr.arpa domain) are for IP addresses owned by Microsoft. It appears that Microsoft have no interest in publishing reverse DNS entries, because I am unable to resolve them from any online DNS tools. The whois records do point to Microsoft, though.
What's a good way to either stop this from happening, or eliminate the Microsoft IP address space from the query results?
Oct 11 2024 07:11 AM