Anomaly Excessive NXDOMAIN DNS Queries - analytics rule

Copper Contributor

I have noticed that we see quite a few endpoints that are triggering the Excessive NXDOMAIN DNS Queries anomaly analytics rule in Microsoft Sentinel. When I investigate these for tuning purposes, I see that the vast majority of these queries (in the in-addr.arpa domain) are for IP addresses owned by Microsoft. It appears that Microsoft have no interest in publishing reverse DNS entries, because I am unable to resolve them from any online DNS tools. The whois records do point to Microsoft, though.

 

What's a good way to either stop this from happening, or eliminate the Microsoft IP address space from the query results?

1 Reply
In the query, it creates a variable called "allData" and then uses it further down in the query.
So I added a "where" clause to the usage of allData.
| where DnsQuery !contains "in-addr.arpa". Hopefully, that's not too kludgy.