Device Potential DNS Tunnelling

//Identifies potential DNS tunnelling over HTTPS //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" | extend AF = parse_json(AdditionalFields) | extend NetworkSignature = AF.SignatureName //Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use | where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355") //Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic | where not(ipv4_is_private(RemoteIP)) | project TimeGenerated, DeviceName, NetworkSignature, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceNetworkEvents | where ActionType == "NetworkSignatureInspected" | extend AF = parse_json(AdditionalFields) | extend NetworkSignature = AF.SignatureName //Search for network signatures that are DNS but not on regular DNS ports including Netbios & LLMNR if those are in use | where NetworkSignature == "DNS_Request" and RemotePort !in ("53", "137", "5353", "5355") //Exclude traffic where the remote IP is a private/local IP address, you can remove this if also interested in that traffic | where not(ipv4_is_private(RemoteIP)) | project Timestamp, DeviceName, NetworkSignature, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl

Explanation

This query identifies potential DNS tunnelling over HTTPS. It searches for network signatures that indicate DNS activity but are not on regular DNS ports. It excludes traffic where the remote IP is a private/local IP address. The query retrieves information such as the timestamp, device name, network signature, local IP and port, remote IP and port, and remote URL.

KQL Search

Device Potential DNS Tunnelling

Query

Explanation

Details

Actions