Query Details
Identity Query Events DNS Zone Transfer From Unexpected Device
Query
let _ExpectedIPAddresses = toscalar(
_GetWatchlist('Activity-ExpectedSignificantActivity')
| where Activity == "AxfrDNSQuery"
| summarize make_list(SourceAddress)
);
IdentityQueryEvents
| where ActionType == "DNS query" and QueryType == "Axfr"
| where not(isnotempty(parse_ipv4(IPAddress)) and ipv4_is_in_any_range(IPAddress, _ExpectedIPAddresses))
| extend AdditionalFieldsCount = toint(AdditionalFields["Count"])
| summarize
Count = sum(AdditionalFieldsCount),
QueryTarget = make_set_if(QueryTarget, isnotempty(QueryTarget)),
arg_min(TimeGenerated, *)
by IPAddress
| project
TimeGenerated,
DeviceName,
IPAddress,
ActionType,
QueryType,
Protocol,
QueryTarget,
DestinationDeviceName,
DestinationIPAddress,
DestinationPort,
AdditionalFields
Explanation
This query is looking for DNS query events where the ActionType is "DNS query" and the QueryType is "Axfr". It then filters out any events where the IPAddress is not in a list of expected IP addresses. It calculates the sum of the AdditionalFieldsCount, groups the results by IPAddress, and selects specific fields to display in the final output.
Details
Jose Sebastián Canós
Released: August 22, 2023
Tables
IdentityQueryEvents
Keywords
IdentityQueryEvents,ActionType,DNSquery,QueryType,Axfr,IPAddress,_ExpectedIPAddresses,AdditionalFields,Count,QueryTarget,TimeGenerated,DeviceName,Protocol,DestinationDeviceName,DestinationIPAddress,DestinationPort
Operators
| where==andnotisnotemptyparse_ipv4ipv4_is_in_any_rangeextendtointsummarizesummake_set_ifarg_minbyproject