Query Details
DNS Activity Attempts Per Device
Query
//Joins DnsEvents and DnsInventory to show computer, domain, and IP of device attempts DnsEvents | where TimeGenerated >= (30d) | join DnsInventory on Computer | where isnotempty(DomainName) | sort by TimeGenerated | summarize Attempts = count() by TimeGenerated, Computer, ClientIP, DomainName
Explanation
This query combines data from the DnsEvents and DnsInventory tables to show information about computer devices attempting to connect to domains. It filters the data to include events from the past 30 days, joins the tables based on the computer field, removes any events without a domain name, sorts the results by the time the events were generated, and summarizes the number of attempts for each combination of time, computer, client IP, and domain name.
Details
Rod Trent
Released: July 22, 2021
Tables
DnsEventsDnsInventory
Keywords
DnsEvents,DnsInventory,Computer,Domain,IP,Device,Attempts,TimeGenerated,ClientIP,DomainName
Operators
wherejoinisnotemptysort bysummarizecount()