Share via

Azure Sentinel DNS

Della Grotta, Fletcher 1 Reputation point
2021-01-11T22:41:20.183+00:00

Hi,

I enabled the DNS connector in Sentinel and some DNS events are getting collected from the DNS servers, however DnsEvents SubType "LookupQuery" are not being sent to Sentinel. I saw the article here https://learn.microsoft.com/en-us/azure/sentinel/connect-dns#troubleshooting but my question is:

Does registering DNS log analytics on the DNS servers include lookupquerys? Or do I need to install azure DNS analytics as well?

I am confused if I need to install Azure monitor/Azure DNS analytics as well to get lookupquerys?

Thanks

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
611 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,225 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,005 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee
    2021-01-12T04:38:27+00:00

    @Della Grotta, Fletcher Thanks for reaching out.
    For lookup related queries, you will need to use the Azure DNS analytics solution under Azure monitor.

    Once done, on the log search page, you can create a custom query under DNSEvents, it will contain all events related to lookup queries.
    Read more about it here.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments
  2. SUNOJ KUMAR YELURU 13,976 Reputation points MVP
    2021-01-12T04:53:14.037+00:00

    @Della Grotta, Fletcher

    Domains Queried. Provides the most frequent domain names being queried by the DNS clients in your environment. You can view the list of all the domain names queried. You can also drill down into the lookup request details of a specific domain name in Log Search.

    You can connect any Domain Name Server (DNS) running on Windows to Azure Sentinel. This is done by installing an agent on the DNS machine. Using DNS logs, you can gain security, performance, and operations-related insights into the DNS infrastructure of your organization by collecting, analyzing, and correlating analytic and audit logs and other related data from the DNS servers.

    Azure DNS Analytics solution in Azure Monitor to gather insights into DNS infrastructure on security, performance, and operations.

    Installing and enabling DNS diagnostic logging

    ----------

    Please don’t forget to "Accept the answer" and up-vote wherever the information provided helps you, this can be beneficial to other community members.

    0 comments