This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello,
I configuret Azure Sentinel Workspace.
Installed MMA agent on DNS server and enabled DNS logging. And added DNS log event to workspace configuratian.
I am receiving logs about DNS dynamic updates but don't get Lookup Query logs.
DNS debug logging is enabled.
What could be the couse?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
You need to enable DNS Analytic Event logging to get the lookup queries as it's not enabled by default, refer dn800669(v=ws.11) . Be aware of the performance impact on the DNS server to have both Audit and Analytic event logging enabled
@Russell Graham Hello.
But we implemented this solution in other environment and there are not enabled DNS analytic events.
And they are receiving lookup queries?
Sorry, updated the URL link as there must have been an issue with what I originally posted, It depends on the version of Windows OS the DNS server is running, Refer to the URL as the Analytic Events report on the DNS activity you are after and not covered in Audit Events
Hello
I have 2012 R2 AD servers which has DNS role installed.
I enabled DNS analytics as is mentioned in the Microsoft post.
But still Azure Sentinel don't receive lookup queries
Try these validation and troubleshooting steps
Validate
In Log Analytics, search for the schema DnsEvents and make sure there are events.
Troubleshooting
If Lookup Queries do not show up in Azure Sentinel, follow these steps so the queries are displayed properly:
Turn ON the DNS Analytics logs on your servers.
dn800669(v=ws.11)
Make sure DNSEvents appear in your Log Analytics collection list.
Turn ON Azure DNS Analytics. dns-analytics
In Azure DNS Analytics, under Configuration, change any of the settings, save it, then change it back if you need to, and then save it again.
Check Azure DNS analytics to make sure the queries are now being displayed.
Also i see that there is information about installing hotfix KB2956577 but it's old update also in prerequisites is mentioned to install KB2919355 which is 2015 and it's old update..
After enablign analytic DNs loggin i see records in DNS event viewer but this data is not trasnferred to Azure Setninel.. @Russell Graham