KQL Search

Query Details

HomeAI ToolsDevice Query

DNS Find Devices That Have Queried Suspicious Domains

Query

//When a domain is flagged by Defender for Cloud (Azure Security Center) as suspicious then find any other clients that have queried that domain in DNS events

//Data connector required for this query - DNS

let suspiciousurl=
SecurityAlert
| where AlertName startswith "Communication with suspicious random domain name"
| mv-expand todynamic(Entities)
| project Entities
| extend SuspiciousURL = tostring(Entities.DomainName)
| where isnotempty(SuspiciousURL)
| distinct SuspiciousURL;
    DnsEvents
    | where QueryType == "A"
    | project Name, ClientIP
    | where Name in (suspiciousurl)
| summarize ['Client IPs']=make_set(ClientIP) by Name

Explanation

This query looks for suspicious domains flagged by Azure Security Center and then finds any other clients that have queried those domains in DNS events. It uses the DNS data connector and filters DNS events for query type "A". It then projects the domain name and client IP, and filters for domains that match the suspicious URLs. Finally, it summarizes the results by the domain name and creates a set of client IPs that have queried each domain.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlertDnsEvents

Keywords

Devices,Intune,User,DNS

Operators

wheremv-expandprojectextendisnotemptydistinctsummarizemake_setby

Actions