Respond to Microsoft Defender for DNS alerts


As of August 1, customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.

When you receive a security alert about suspicious and anomalous activities identified in DNS transactions, we recommend you investigate and respond to the alert as described below. Even if you're familiar with the application or user that triggered the alert, it's important to verify the situation surrounding every alert.

Step 1: Contact

  1. Contact the resource owner to determine whether the behavior was expected or intentional.
  2. If the activity is expected, dismiss the alert.
  3. If the activity is unexpected, treat the resource as potentially compromised and mitigate as described in the next step.

Step 2: Immediate mitigation

  1. Isolate the resource from the network to prevent lateral movement.
  2. Run a full antimalware scan on the resource, following any resulting remediation advice.
  3. Review installed and running software on the resource, removing any unknown or unwanted packages.
  4. Revert the machine to a known good state, reinstalling the operating system if required, and restore software from a verified malware-free source.
  5. Resolve any Microsoft Defender for Cloud recommendations for the machine, remediating highlighted security issues to prevent future breaches.

Next steps

Now that you know how to respond to DNS alerts, find out more about how to manage alerts.

For related material, see the following articles:

  • To export Defender for Cloud alerts to your centralized security information and event management (SIEM) system, such as Microsoft Sentinel, any third-party SIEM, or any other external tool.
  • To send alerts in real-time to Log Analytics or Event Hubs to create automated processes to analyze and respond to security alerts.