Query Details
Vm Connection Check
Query
VMConnection | where isnotempty(RemoteDnsCanonicalNames) or isnotempty(RemoteDnsQuestions) | where RemoteDnsCanonicalNames has_any (domains) or RemoteDnsQuestions has_any (domains)
Explanation
The query is filtering the VMConnection table to only include rows where either the RemoteDnsCanonicalNames or RemoteDnsQuestions columns are not empty. Additionally, it further filters the results to only include rows where the RemoteDnsCanonicalNames column contains any of the specified domains or the RemoteDnsQuestions column contains any of the specified domains.
Details
Jose Sebastián Canós
Released: February 2, 2023
Tables
VMConnection
Keywords
VMConnection,RemoteDnsCanonicalNames,RemoteDnsQuestions,domains
Operators
whereisnotemptyorhas_any