KQL Search

Query Details

Identity Query Events DNS Zone Transfer From Unexpected Device

Query

let _ExpectedIPAddresses = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AxfrDNSQuery"
    | summarize make_list(SourceAddress)
);
IdentityQueryEvents
| where ActionType == "DNS query" and QueryType == "Axfr"
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _ExpectedIPAddresses))
| extend AdditionalFieldsCount = toint(AdditionalFields["Count"])
| summarize
    Count = sum(AdditionalFieldsCount),
    QueryTarget = make_set_if(QueryTarget, isnotempty(QueryTarget)),
    arg_min(TimeGenerated, *)
    by IPAddress
| project
    TimeGenerated,
    DeviceName,
    IPAddress,
    ActionType,
    QueryType,
    Protocol,
    QueryTarget,
    DestinationDeviceName,
    DestinationIPAddress,
    DestinationPort,
    AdditionalFields

Explanation

This KQL (Kusto Query Language) query is designed to identify unexpected DNS zone transfer requests (Axfr queries) from IP addresses that are not on a predefined watchlist of expected IPs. Here's a simple breakdown of what the query does:

  1. Retrieve Expected IPs: It first retrieves a list of IP addresses from a watchlist named "Activity-ExpectedSignificantActivity" where the activity type is "AxfrDNSQuery". This list represents IPs that are expected to perform DNS zone transfers.

  2. Filter DNS Query Events: It then looks at DNS query events in the IdentityQueryEvents table, specifically filtering for those where the action type is "DNS query" and the query type is "Axfr" (which indicates a DNS zone transfer request).

  3. Exclude Expected IPs: The query excludes events from IP addresses that are in the list of expected IPs. It does this by checking if the IP address is a valid IPv4 address and not in the list of expected IPs.

  4. Count and Summarize: For the remaining events (unexpected Axfr queries), it calculates the total count of these queries and collects unique query targets (domains being queried) for each IP address.

  5. Output Results: Finally, it projects a set of fields including the time the event was generated, device name, IP address, action type, query type, protocol, query targets, destination device name, destination IP address, destination port, and any additional fields.

In summary, this query identifies and summarizes unexpected DNS zone transfer requests by filtering out those from known, expected IP addresses.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 26, 2024

Tables

_GetWatchlistIdentityQueryEvents

Keywords

IdentityQueryEvents

Operators

lettoscalar_GetWatchlistwheresummarizemake_listandnotisnotemptyparse_ipv4ipv4_is_in_any_rangeextendtointsummake_set_ifarg_minbyproject

Actions