KQL Search

Query Details

HomeAI ToolsDevice Query

Dns Events Find Stale Domains

Query

//Find DNS domains that have not been queried in the last 30 days. These are potentially stale and should be removed.

//Data connector required for this query - DNS

let domain="yourdomain.com";
DnsEvents
| where TimeGenerated > ago(180d)
| where SubType == "LookupQuery"
| where QueryType == "A"
| where Name endswith domain
| summarize LookupCount=count()by Name
//Set a threshold for total lookups to be included, to account for typos and low volume queries
| where LookupCount > 50
| join kind=leftanti 
    (
    DnsEvents
    | where TimeGenerated > ago(30d)
    | where SubType == "LookupQuery"
    | where QueryType == "A"
    | where Name endswith domain
    | summarize arg_max(TimeGenerated, Name) by Name
    | project TimeGenerated, Name)
    on Name

Explanation

This query is looking for DNS domains that have not been queried in the last 30 days. These domains are potentially stale and should be removed. The query uses the DNS data connector and filters for DNS events where the subtype is "LookupQuery" and the query type is "A". It also filters for domains that end with a specified domain name. The query then summarizes the count of lookup events for each domain and sets a threshold for the total lookups to be included. It joins this result with a subquery that finds the most recent lookup event for each domain in the last 30 days. The final result includes the time of the most recent lookup event and the domain name.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DnsEvents

Keywords

DNS,DnsEvents,TimeGenerated,SubType,LookupQuery,QueryType,A,Name,LookupCount,kind,leftanti

Operators

whereTimeGeneratedagoSubTypeQueryTypeNameendswithsummarizecountjoinkindleftantiarg_maxproject

Actions