Query Details
Detect Tor DNS Request
Query
DeviceNetworkEvents //Credit: Suraj Kumar. Modified from his query | where TimeGenerated > ago(90d) | extend AdditionalFields_query = tostring(parse_json(AdditionalFields)["query"]) | where AdditionalFields_query endswith ".onion" | summarize count() by AdditionalFields_query, DeviceName
Explanation
This query is analyzing network events from devices over the past 90 days. Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at
DeviceNetworkEvents, which contains network-related data from various devices. -
Time Filter: It filters the data to include only events that have occurred in the last 90 days.
-
Extracting Information: It extracts a specific field called
queryfrom a JSON object within a column namedAdditionalFields. This extracted value is stored in a new column calledAdditionalFields_query. -
Filtering for .onion Domains: It further filters the data to include only those events where the
AdditionalFields_queryends with ".onion". This typically indicates access to websites on the Tor network, which uses the ".onion" domain. -
Summarizing Results: Finally, it counts the number of such events and groups them by the
AdditionalFields_queryand theDeviceName. This provides a summary of how many times each device accessed ".onion" sites and which specific queries were made.
In essence, the query is identifying and counting instances where devices accessed Tor network sites over the past 90 days.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators