KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Malicious Answers By DNS Queries

Query

**Detect Malicious IP answers by DNS queries**

**Description:** The aim of this query is detect suspicious IP answers from DNS Queries, validating them with an external TI Feed and be alerted when there are some matches.

```
let IPList = externaldata (IP:string) ["https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/ipsum.txt"] with(format="txt")
| where IP !startswith "#"
| extend IP_ = split(IP, "	")
| extend IP = tostring(IP_[0])
| extend BL = toint(IP_[1]);
 DeviceNetworkEvents
| extend answers = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend answersext = todynamic(tostring(parse_json(AdditionalFields).answers))
| extend query = (tostring(parse_json(AdditionalFields).query))
| mv-expand answers
| extend Type =
    case(
        answers matches regex @"^(\d{1,3}\.){3}\d{1,3}$", "IPv4",  
        answers matches regex @"^([a-fA-F0-9:]+)$", "IPv6",        
        answers contains ".", "URL",                               
        "Unknown"                                                 
    )
| where Type has "IPv4"
| extend tostring(answers)
| join kind=inner (IPList) on $left.answers == $right.IP
| extend Geo_info_answer = tostring(geo_info_from_ip_address(answers).country)
| extend Geo_info_RemoteIP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where BL > 1
| summarize dcount(answers),make_set(answers),make_set(query),make_set(Geo_info_answer),make_set(ActionType) by DeviceName, RemoteIP, Geo_info_RemoteIP
| order by dcount_answers
```

Explanation

This query is designed to detect potentially malicious IP addresses that are returned as answers in DNS queries. Here's a simplified breakdown of what the query does:

  1. Load External IP List: It retrieves a list of known suspicious IP addresses from an external threat intelligence feed available online.

  2. Filter and Format IP List: The list is filtered to remove comments (lines starting with "#") and split into IP addresses and a blacklist score (BL).

  3. Extract DNS Query Data: From the DeviceNetworkEvents table, it extracts the DNS answers and queries from the AdditionalFields column, which contains JSON data.

  4. Identify IP Type: It checks if the DNS answers are IPv4 addresses using regular expressions.

  5. Match Against Suspicious IPs: The query then matches these IPv4 addresses against the external list of suspicious IPs.

  6. Geolocation Information: It adds geolocation information for both the DNS answer IP and the remote IP involved in the network event.

  7. Filter by Blacklist Score: Only IPs with a blacklist score greater than 1 are considered suspicious and are included in the results.

  8. Summarize Results: Finally, it summarizes the data by counting distinct suspicious IP answers and grouping them by device name, remote IP, and their respective geolocation information.

  9. Order Results: The results are ordered by the count of distinct suspicious IP answers.

In essence, this query helps identify and alert on DNS queries that return IP addresses known to be potentially harmful, based on an external threat intelligence feed.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 14, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsGeoInfoRemoteIPActionTypeDeviceName

Operators

letexternaldatawithwhereextendsplittostringtointparse_jsontodynamicmv-expandcasematches regexcontainsjoin kind=innerongeo_info_from_ip_addresssummarizedcountmake_setbyorder by

Actions