DNS Logs

Rob Nunley · ‎Jun 13 2021

I am trying to track down a workstation that is accessing a known malicious website. I have a few DNS servers that send their logs to Sentinel. Is there a way to find which workstation is accessing the site using Sentinel and KQL?

Thanks

CliveWatson · ‎Jun 14 2021

Have you looked at the DNS workbook in Azure Sentinel, that has some examples. like this:

DnsEvents
| extend IPAddresses = iif(IPAddresses=="", "empty", IPAddresses)
| where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
| summarize Attempts = count() by ClientIP, MaliciousIP
| project ClientIP , MaliciousIP, Attempts

Rob Nunley · ‎Jun 21 2021

Hi @CliveWatson

Thanks for the response. Is there a way to run these queries using the domain instead of the IP?

CliveWatson · ‎Jun 22 2021

There is the Name column?

DnsEvents
| where isnotempty(Name)
| summarize Attempts = count() by ClientIP, MaliciousIP, Name, Result, SubType, IPAddresses

DNS Logs

DNS Logs

Re: DNS Logs

Re: DNS Logs

Re: DNS Logs

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

DNS Logs