DnsEvents

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

---

Reference for DnsEvents table in Azure Monitor Logs.

Attribute	Value
Category	Network
Basic Logs Eligible	✗ No (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation

Contents

• Schema
• Solutions
• Connectors
• Content Items
• Parsers
• Resource Types

Schema (25 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
_ResourceId	string	A unique identifier for the resource that the record is associated with
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
ClientIP	string
Computer	string
Confidence	string
Description	string
EventId	int
IndicatorThreatType	string
IPAddresses	string
MaliciousIP	string
Message	string
QueryType	string
RemoteIPCountry	string
RemoteIPLatitude	real
RemoteIPLongitude	real
Result	string
ResultCode	int
Severity	int
SourceSystem	string	The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics
SubType	string
TaskCategory	string
TimeGenerated	datetime
Type	string	The name of the table

Solutions (15)

This table is used by the following solutions:

• Apache Log4j Vulnerability Detection
• Attacker Tools Threat Protection Essentials
• ContinuousDiagnostics&Mitigation
• GreyNoiseThreatIntelligence
• Lumen Defender Threat Feed
• MaturityModelForEventLogManagementM2131
• NISTSP80053
• SOC Handbook
• Standalone Content
• Threat Intelligence
• Threat Intelligence (NEW)
• ThreatConnect
• Windows Server DNS
• ZeroTrust(TIC3.0)
• Zinc Open Source

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
DNS

---

Content Items Using This Table (42)

Analytic Rules (16)

In solution Apache Log4j Vulnerability Detection:

Analytic Rule	Selection Criteria
Log4j vulnerability exploit aka Log4Shell IP IOC

In solution GreyNoiseThreatIntelligence:

Analytic Rule	Selection Criteria
GreyNoise TI Map IP Entity to DnsEvents

In solution Lumen Defender Threat Feed:

Analytic Rule	Selection Criteria
Lumen TI domain in DnsEvents

In solution Threat Intelligence:

Analytic Rule	Selection Criteria
TI Map IP Entity to DnsEvents
TI map Domain entity to DnsEvents

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI Map IP Entity to DnsEvents
TI map Domain entity to DnsEvents

In solution ThreatConnect:

Analytic Rule	Selection Criteria
Threat Connect TI map Domain entity to DnsEvents

In solution Windows Server DNS:

Analytic Rule	Selection Criteria
DNS events related to ToR proxies
DNS events related to mining pools
NRT DNS events related to mining pools
Potential DGA detected
Rare client observed with high reverse DNS lookup count

In solution Zinc Open Source:

Analytic Rule	Selection Criteria
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Standalone Content:

Analytic Rule	Selection Criteria
Europium - Hash and IP IOCs - September 2022
Mercury - Domain, Hash and IP IOCs - August 2022

Hunting Queries (10)

In solution Attacker Tools Threat Protection Essentials:

Hunting Query	Selection Criteria
Cobalt Strike DNS Beaconing

In solution Windows Server DNS:

Hunting Query	Selection Criteria
Abnormally long DNS URI queries
DNS - domain anomalous lookup increase
DNS Domains linked to WannaCry ransomware campaign
DNS Full Name anomalous lookup increase
DNS lookups for commonly abused TLDs
High reverse DNS count by host
Potential DGA detected
Solorigate DNS Pattern

Standalone Content:

Hunting Query	Selection Criteria
RareDNSLookupWithDataTransfer

Workbooks (16)

In solution ContinuousDiagnostics&Mitigation:

Workbook	Selection Criteria
ContinuousDiagnostics&Mitigation

In solution Lumen Defender Threat Feed:

Workbook	Selection Criteria
Lumen-Threat-Feed-Overview

In solution MaturityModelForEventLogManagementM2131:

Workbook	Selection Criteria
MaturityModelForEventLogManagement_M2131

In solution NISTSP80053:

Workbook	Selection Criteria
NISTSP80053

In solution SOC Handbook:

Workbook	Selection Criteria
InvestigationInsights
SecurityStatus

In solution Windows Server DNS:

Workbook	Selection Criteria
Dns

In solution ZeroTrust(TIC3.0):

Workbook	Selection Criteria
ZeroTrustTIC3

GitHub Only:

Workbook	Selection Criteria
Dns
DoDZeroTrustWorkbook
InvestigationInsights
SecurityStatus
SentinelWorkspaceReconTools
SolarWindsPostCompromiseHunting
UserMap
ZeroTrustStrategyWorkbook

Parsers Using This Table (1)

ASIM Parsers (1)

Parser	Schema	Product	Selection Criteria
ASimDnsMicrosoftOMS	Dns	MS DNS Events

Resource Types

This table collects data from the following Azure resource types:

• microsoft.compute/virtualmachines
• microsoft.conenctedvmwarevsphere/virtualmachines
• microsoft.azurestackhci/virtualmachines
• microsoft.scvmm/virtualmachines

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index