Forum Discussion

Rob Nunley's avatar
Rob Nunley
Brass Contributor
Jun 14, 2021

DNS Logs

I am trying to track down a workstation that is accessing a known malicious website. I have a few DNS servers that send their logs to Sentinel.  Is there a way to find which workstation is accessing the site using Sentinel and KQL?

 

Thanks

  • CliveWatson's avatar
    CliveWatson
    Icon for Microsoft rankMicrosoft
    Jun 14, 2021
    Have you looked at the DNS workbook in Azure Sentinel, that has some examples. like this:

    DnsEvents
    | extend IPAddresses = iif(IPAddresses=="", "empty", IPAddresses)
    | where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
    | summarize Attempts = count() by ClientIP, MaliciousIP
    | project ClientIP , MaliciousIP, Attempts
    • Rob Nunley's avatar
      Rob Nunley
      Brass Contributor
      Jun 22, 2021

      Hi CliveWatson 

       

      Thanks for the response.  Is there a way to run these queries using the domain instead of the IP?

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        Jun 22, 2021
        There is the Name column?

        DnsEvents
        | where isnotempty(Name)
        | summarize Attempts = count() by ClientIP, MaliciousIP, Name, Result, SubType, IPAddresses

Share

Resources