DNS Logs

Contributor

I am trying to track down a workstation that is accessing a known malicious website. I have a few DNS servers that send their logs to Sentinel.  Is there a way to find which workstation is accessing the site using Sentinel and KQL?

 

Thanks

3 Replies
Have you looked at the DNS workbook in Azure Sentinel, that has some examples. like this:

DnsEvents
| extend IPAddresses = iif(IPAddresses=="", "empty", IPAddresses)
| where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
| summarize Attempts = count() by ClientIP, MaliciousIP
| project ClientIP , MaliciousIP, Attempts

Hi @CliveWatson 

 

Thanks for the response.  Is there a way to run these queries using the domain instead of the IP?

There is the Name column?

DnsEvents
| where isnotempty(Name)
| summarize Attempts = count() by ClientIP, MaliciousIP, Name, Result, SubType, IPAddresses