Forum Discussion

Rob Nunley's avatar
Rob Nunley
Brass Contributor
Jun 14, 2021

DNS Logs

I am trying to track down a workstation that is accessing a known malicious website. I have a few DNS servers that send their logs to Sentinel.  Is there a way to find which workstation is accessing ...
CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Jun 14, 2021
Have you looked at the DNS workbook in Azure Sentinel, that has some examples. like this:

DnsEvents
| extend IPAddresses = iif(IPAddresses=="", "empty", IPAddresses)
| where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
| summarize Attempts = count() by ClientIP, MaliciousIP
| project ClientIP , MaliciousIP, Attempts
  • Rob Nunley's avatar
    Rob Nunley
    Brass Contributor
    Jun 22, 2021

    Hi CliveWatson 

     

    Thanks for the response.  Is there a way to run these queries using the domain instead of the IP?

    • CliveWatson's avatar
      CliveWatson
      Icon for Microsoft rankMicrosoft
      Jun 22, 2021
      There is the Name column?

      DnsEvents
      | where isnotempty(Name)
      | summarize Attempts = count() by ClientIP, MaliciousIP, Name, Result, SubType, IPAddresses

Resources