DNS Logs

%3CLINGO-SUB%20id%3D%22lingo-sub-2443559%22%20slang%3D%22en-US%22%3EDNS%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2443559%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20track%20down%20a%20workstation%20that%20is%20accessing%20a%20known%20malicious%20website.%20I%20have%20a%20few%20DNS%20servers%20that%20send%20their%20logs%20to%20Sentinel.%26nbsp%3B%20Is%20there%20a%20way%20to%20find%20which%20workstation%20is%20accessing%20the%20site%20using%20Sentinel%20and%20KQL%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2443995%22%20slang%3D%22en-US%22%3ERe%3A%20DNS%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2443995%22%20slang%3D%22en-US%22%3EHave%20you%20looked%20at%20the%20DNS%20workbook%20in%20Azure%20Sentinel%2C%20that%20has%20some%20examples.%20like%20this%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3EDnsEvents%3CBR%20%2F%3E%7C%20extend%20IPAddresses%20%3D%20iif(IPAddresses%3D%3D%22%22%2C%20%22empty%22%2C%20IPAddresses)%3CBR%20%2F%3E%7C%20where%20SubType%20%3D%3D%20'LookupQuery'%20and%20isnotempty(MaliciousIP)%3CBR%20%2F%3E%7C%20summarize%20Attempts%20%3D%20count()%20by%20ClientIP%2C%20MaliciousIP%3CBR%20%2F%3E%7C%20project%20ClientIP%20%2C%20MaliciousIP%2C%20Attempts%3C%2FLINGO-BODY%3E
Contributor

I am trying to track down a workstation that is accessing a known malicious website. I have a few DNS servers that send their logs to Sentinel.  Is there a way to find which workstation is accessing the site using Sentinel and KQL?

 

Thanks

3 Replies
Have you looked at the DNS workbook in Azure Sentinel, that has some examples. like this:

DnsEvents
| extend IPAddresses = iif(IPAddresses=="", "empty", IPAddresses)
| where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
| summarize Attempts = count() by ClientIP, MaliciousIP
| project ClientIP , MaliciousIP, Attempts

Hi @CliveWatson 

 

Thanks for the response.  Is there a way to run these queries using the domain instead of the IP?

There is the Name column?

DnsEvents
| where isnotempty(Name)
| summarize Attempts = count() by ClientIP, MaliciousIP, Name, Result, SubType, IPAddresses