KQL Search

Query Details

HomeAI ToolsDevice Query

Dns Events Unusual DNS Query Type Of Internal Domain

Query

let query_frequency = 1h;
let query_period = 14d;
let _InternalDomains = toscalar(
    _GetWatchlist("Domain-PrivDomains")
    | where Notes has "[HomeTenant]"
    | summarize make_list(Domain)
);
DnsEvents
| where TimeGenerated > ago(query_period)
| where Name has_any (_InternalDomains)
| summarize arg_min(TimeGenerated, *) by SubType, EventId, QueryType, ResultCode
| where TimeGenerated > ago(query_frequency)
| join kind=rightsemi (
    DnsEvents
    | where TimeGenerated > ago(query_frequency)
    | where Name has_any (_InternalDomains)
    ) on SubType, EventId, QueryType, Result, ResultCode
| summarize arg_min(TimeGenerated, *) by SubType, EventId, QueryType, ResultCode, Name
| sort by TimeGenerated asc
| project
    TimeGenerated,
    SubType,
    EventId,
    Computer,
    ClientIP,
    QueryType,
    Name,
    Result,
    ResultCode,
    IPAddresses,
    MaliciousIP

Explanation

This KQL query is designed to analyze DNS events related to specific internal domains over a recent period. Here's a simple breakdown:

  1. Setup Variables:

    • query_frequency is set to 1 hour, meaning the query focuses on events from the last hour.
    • query_period is set to 14 days, indicating the overall time frame for the data analysis.

  2. Internal Domains:

    • It retrieves a list of internal domains from a watchlist named "Domain-PrivDomains" that are marked with "[HomeTenant]".

  3. Filter DNS Events:

    • It filters DNS events from the last 14 days where the domain name matches any of the internal domains.

  4. Summarize Initial Events:

    • It finds the earliest occurrence (arg_min) of each unique combination of SubType, EventId, QueryType, and ResultCode within the filtered events.

  5. Recent Events:

    • It further filters these summarized events to only include those from the last hour.

  6. Join with Recent DNS Events:

    • It performs a right semi-join with DNS events from the last hour that also match the internal domains, ensuring only relevant recent events are considered.

  7. Final Summarization:

    • It summarizes the earliest occurrence of each unique combination of SubType, EventId, QueryType, ResultCode, and Name.

  8. Sorting and Projection:

    • The results are sorted by the time they were generated in ascending order.
    • Finally, it selects specific columns to display: TimeGenerated, SubType, EventId, Computer, ClientIP, QueryType, Name, Result, ResultCode, IPAddresses, and MaliciousIP.

In essence, this query identifies and lists recent DNS events related to specific internal domains, focusing on the most recent occurrences and relevant details.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: November 11, 2024

Tables

DnsEvents

Keywords

DnsEventsDomainsTimeSubTypeEventIdQueryTypeResultResultCodeComputerClientIPIPAddressesMaliciousIP

Operators

lettoscalar_GetWatchlisthassummarizemake_listwherehas_anyarg_minjoinkindonsortbyascproject

Actions