NXLog DNS Logs connector for Microsoft Sentinel

The NXLog DNS Logs data connector uses Event Tracing for Windows (ETW) for collecting both Audit and Analytical DNS Server events. The NXLog im_etw module reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.

Connector attributes

Connector attribute	Description
Log Analytics table(s)	NXLog_DNS_Server_CL
Data collection rules support	Not currently supported
Supported by	NXLog

Query samples

DNS Server top 5 hostlookups

ASimDnsMicrosoftNXLog 

| summarize count() by Domain

| take 5

| render piechart title='Top 5 host lookups'

DNS Server Top 5 EventOriginalTypes (Event IDs)

ASimDnsMicrosoftNXLog 

| extend EventID=strcat('Event ID ',trim_end('.0',tostring(EventOriginalType)))

| summarize CountByEventID=count() by EventID

| sort by CountByEventID

| take 5

| render piechart title='Top 5 EventOriginalTypes (Event IDs)'

DNS Server analytical events per second (EPS)

ASimDnsMicrosoftNXLog 

| where EventEndTime >= todatetime('2021-09-17 03:07')

| where EventEndTime <  todatetime('2021-09-18 03:14')

| summarize EPS=count() by bin(EventEndTime, 1s)

| render timechart title='DNS analytical events per second (EPS) - All event types'

Vendor installation instructions

Note

This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The **ASimDnsMicrosoftNXLog ** is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities.

Follow the step-by-step instructions in the NXLog User Guide Integration Topic Microsoft Sentinel to configure this connector.

Next steps

For more information, go to the related solution in the Azure Marketplace.