Windows Server DNS
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | Networking |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-05-11 |
| Solution Folder | Windows Server DNS |
| Marketplace | Azure Marketplace · Rating: ★★★☆☆ 3.0/5 (1 ratings) · Popularity: 🔵 Medium (60%) |
The DNS solution for Microsoft Sentinel allows you to ingest DNS analytic and audit logs into Microsoft Sentinel. The DNS logs are collected only from Windows agents.
Installing this solution will deploy two data connectors,
DNS via AMA - This data connector helps in ingesting Windows DNS logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
DNS via Legacy Agent - This data connector helps in ingesting Windows DNS logs into your Log Analytics Workspace using the legacy Log Analytics agent.
**NOTE**: Microsoft recommends Installation of DNS via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
Contents
Data Connectors
This solution provides 2 data connector(s):
Tables Used
This solution uses 4 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
ASimDnsActivityLogs |
Windows DNS Events via AMA | - |
DnsEvents |
DNS | Analytics, Hunting, Workbooks |
DnsInventory |
DNS | Workbooks |
SigninLogs |
- | Hunting |
Content Items
This solution includes 15 content item(s):
| Content Type | Count |
|---|---|
| Hunting Queries | 9 |
| Analytic Rules | 5 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| DNS events related to ToR proxies | Low | Exfiltration | DnsEvents |
| DNS events related to mining pools | Low | Impact | DnsEvents |
| NRT DNS events related to mining pools | Low | Impact | DnsEvents |
| Potential DGA detected | Medium | CommandAndControl | DnsEvents |
| Rare client observed with high reverse DNS lookup count | Medium | Discovery | DnsEvents |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Abnormally long DNS URI queries | CommandAndControl, Exfiltration | DnsEvents |
| DNS - domain anomalous lookup increase | CommandAndControl, Exfiltration | DnsEvents |
| DNS Domains linked to WannaCry ransomware campaign | Impact | DnsEvents |
| DNS Full Name anomalous lookup increase | CommandAndControl, Exfiltration | DnsEvents |
| DNS lookups for commonly abused TLDs | CommandAndControl, Exfiltration | DnsEvents |
| High reverse DNS count by host | Discovery | DnsEvents |
| Potential DGA detected | CommandAndControl | DnsEvents |
| Solorigate DNS Pattern | CommandAndControl | DnsEvents |
| Solorigate Encoded Domain in URL | CommandAndControl | SigninLogs |
Workbooks
| Name | Tables Used |
|---|---|
| Dns | DnsEventsDnsInventory |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 19-03-2024 | Updated Entity Mappings of Analytic Rules |
| 3.0.0 | 18-09-2023 | Windows DNS Events via AMA Data Connector now General Availability |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊