Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for DnsEvents table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Network |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| ClientIP | string | |
| Computer | string | |
| Confidence | string | |
| Description | string | |
| EventId | int | |
| IndicatorThreatType | string | |
| IPAddresses | string | |
| MaliciousIP | string | |
| Message | string | |
| QueryType | string | |
| RemoteIPCountry | string | |
| RemoteIPLatitude | real | |
| RemoteIPLongitude | real | |
| Result | string | |
| ResultCode | int | |
| Severity | int | |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SubType | string | |
| TaskCategory | string | |
| TimeGenerated | datetime | |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| DNS |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution GreyNoiseThreatIntelligence: SubType == "LookupQuery"
| Analytic Rule |
|---|
| GreyNoise TI Map IP Entity to DnsEvents |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI domain in DnsEvents |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to DnsEvents | SubType == "LookupQuery" |
| TI map Domain entity to DnsEvents |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI Map IP Entity to DnsEvents | SubType == "LookupQuery" |
| TI map Domain entity to DnsEvents |
In solution ThreatConnect:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Connect TI map Domain entity to DnsEvents |
In solution Windows Server DNS:
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Attacker Tools Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Cobalt Strike DNS Beaconing |
In solution Windows Server DNS:
| Hunting Query | Selection Criteria |
|---|---|
| Abnormally long DNS URI queries | |
| DNS - domain anomalous lookup increase | SubType == "LookupQuery" |
| DNS Domains linked to WannaCry ransomware campaign | |
| DNS Full Name anomalous lookup increase | SubType == "LookupQuery" |
| DNS lookups for commonly abused TLDs | |
| High reverse DNS count by host | |
| Potential DGA detected | |
| Solorigate DNS Pattern | IPAddresses != "127.0.0.1" |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights | ResultCode == "0" |
| SecurityStatus |
In solution Windows Server DNS:
| Workbook | Selection Criteria |
|---|---|
| Dns |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimDnsMicrosoftOMS | Dns | MS DNS Events |
This table collects data from the following Azure resource types:
microsoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesReferences by type: 0 connectors, 7 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SubType == "LookupQuery" |
- | 5 | - | - | 5 |
IPAddresses != "127.0.0.1" |
- | 1 | - | - | 1 |
ResultCode == "0" |
- | 1 | - | - | 1 |
| Total | 0 | 7 | 0 | 0 | 7 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= 127.0.0.1 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
0 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
LookupQuery |
- | 5 | - | - | 5 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊