Query Details
Security Alert Possible DNS Data Transfer
Query
//When Defender for Cloud detects possible data transfer via DNS tunnel, use DNS logs to find any other devices that have queried the potentially malicious domain
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - DNS
let maliciousdomain=
SecurityAlert
| where AlertName contains "via DNS tunnel"
| mv-expand todynamic(Entities)
| project Entities
| extend MaliciousDomain = tostring(Entities.DomainName)
| where isnotempty(MaliciousDomain)
| distinct MaliciousDomain;
DnsEvents
| where QueryType == "A"
| project Name, ClientIP
| where Name in~ (maliciousdomain)
| summarize ['List of Device IPs']=make_set(ClientIP) by NameExplanation
This query is used to find any devices that have queried a potentially malicious domain when Defender for Cloud detects possible data transfer via DNS tunnel. It uses DNS logs to search for the domain and retrieves the list of device IPs that have made queries to that domain. The query requires two data connectors - Security Alert and DNS.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlertDnsEvents
Keywords
Devices,Intune,User,DNS
Operators
containsmv-expandprojectextendisnotemptydistinctwheremake_setsummarizein~