DNS Essentials Solution for Microsoft Sentinel (Preview)

Solution: DNS Essentials

DNS Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.4
Author	Microsoft - support@microsoft.com
First Published	2023-01-14
Solution Folder	DNS Essentials
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (74%)

This is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.

Prerequisite :-

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution. 1. Windows Server DNS 2. Azure Firewall 3. Cisco Umbrella 4. Corelight Zeek 5. Google Cloud Platform DNS 6. Infoblox NIOS 7. ISC Bind 8. Vectra AI 9. Zscaler Internet Access

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: 1. Product solutions as described above 2. Logic app for data summarization

Recommendation :-

It is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

Additional Information

📖 Related Documentation: ASIM-based domain solutions overview - Uses ASIM DNS schema for cross-product threat detection
📖 Related Documentation: ASIM DNS schema reference - Field definitions for normalized DNS logs

Data Connectors
Internal Tables
Content Items

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Internal Tables

The following 5 table(s) are used internally by this solution's content items:

Table	Used By Content
`Anomalies`	Analytics, Hunting
`DNS_Summarized_Logs_ip_CL`	Analytics, Hunting, Playbooks (writes), Workbooks
`DNS_Summarized_Logs_sourceInfo_CL`	Playbooks (writes), Workbooks
`SecurityAlert`	Workbooks
`ThreatIntelIndicators`	Workbooks

Content Items

This solution includes 21 content item(s):

Content Type	Count
Hunting Queries	10
Analytic Rules	9
Workbooks	1
Playbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Detect DNS queries reporting multiple errors from different clients - Anomaly Based (ASIM DNS Solution)	Medium	CommandAndControl	Internal use: `Anomalies` `DNS_Summarized_Logs_ip_CL`
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)	Medium	CommandAndControl	-
Detect excessive NXDOMAIN DNS queries - Anomaly based (ASIM DNS Solution)	Medium	CommandAndControl	Internal use: `Anomalies` `DNS_Summarized_Logs_ip_CL`
Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)	Medium	CommandAndControl	-
Ngrok Reverse Proxy on Network (ASIM DNS Solution)	Medium	CommandAndControl	-
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Anomaly based (ASIM DNS Solution)	Medium	CommandAndControl	Internal use: `Anomalies` `DNS_Summarized_Logs_ip_CL`
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)	Medium	CommandAndControl	-
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)	Medium	Reconnaissance	-
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)	Medium	Reconnaissance	-

Hunting Queries

Name	Tactics	Tables Used
CVE-2020-1350 (SIGRED) exploitation pattern (ASIM DNS Solution)	DefenseEvasion, PrivilegeEscalation	-
Connection to Unpopular Website Detected (ASIM DNS Solution)	CommandAndControl	Internal use: `DNS_Summarized_Logs_ip_CL`
Increase in DNS Requests by client than the daily average count (ASIM DNS Solution)	CommandAndControl, Exfiltration	-
Possible DNS Tunneling or Data Exfiltration Activity (ASIM DNS Solution)	CommandAndControl, Exfiltration	-
Potential beaconing activity (ASIM DNS Solution)	CommandAndControl	-
Top 25 DNS queries with most failures in last 24 hours (ASIM DNS Solution)	CommandAndControl	-
Top 25 Domains with large number of Subdomains (ASIM DNS Solution)	CommandAndControl, Exfiltration	-
Top 25 Sources(Clients) with high number of errors in last 24hours (ASIM DNS Solution)	CommandAndControl	-
Unexpected top level domains (ASIM DNS Solution)	CommandAndControl	-
[Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution)	CommandAndControl, Exfiltration	Internal use: `Anomalies` `DNS_Summarized_Logs_ip_CL`

Workbooks

Name	Tables Used
DNSSolutionWorkbook	Internal use: `DNS_Summarized_Logs_ip_CL` `DNS_Summarized_Logs_sourceInfo_CL` `SecurityAlert` `ThreatIntelIndicators`

Playbooks

Name	Description	Tables Used
Summarize Data for DNS Essentials Solution	This playbook summarizes data for DNS Essentials Solution and ingests into custom tables.	Internal use: `DNS_Summarized_Logs_ip_CL` (read/write) `DNS_Summarized_Logs_sourceInfo_CL` (read/write)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	02-07-2025	Updated new ThreatIntelIndicators table references using parser.
3.0.3	28-11-2024	Update Analytic Rule MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml to fix bug.
3.0.2	29-07-2024	Update Hunting Queries to fix TTP.
3.0.1	31-01-2023	Updated the solution to fix Analytic Rules deployment issue.
3.0.2	12-03-2024	Added new Analytic rule and repackaged solution.