Redaguoti

Bendrinti naudojant


DNS over AMA connector reference - available fields and normalization schema

Microsoft Sentinel allows you to stream and filter events from your Windows Domain Name System (DNS) server logs to the ASimDnsActivityLog normalized schema table. This article describes the fields used for filtering the data, and the normalization schema for the Windows DNS server fields.

The Azure Monitor Agent (AMA) and its DNS extension are installed on your Windows Server to upload data from your DNS analytical logs to your Microsoft Sentinel workspace. You stream and filter the data using the Windows DNS Events via AMA connector.

Available fields for filtering

This table shows the available fields. The field names are normalized using the DNS schema.

Field name Values Description
EventOriginalType Numbers between 256 and 280 The Windows DNS eventID, which indicates the type of the DNS protocol event.
EventResultDetails • NOERROR
• FORMERR
• SERVFAIL
• NXDOMAIN
• NOTIMP
• REFUSED
• YXDOMAIN
• YXRRSET
• NXRRSET
• NOTAUTH
• NOTZONE
• DSOTYPENI
• BADVERS
• BADSIG
• BADKEY
• BADTIME
• BADALG
• BADTRUNC
• BADCOOKIE
The operation's DNS result string as defined by the Internet Assigned Numbers Authority (IANA).
DvcIpAdrr IP addresses The IP address of the server reporting the event. This field also includes geo-location and malicious IP information.
DnsQuery Domain names (FQDN) The string representing the domain name to be resolved.
• Can accept multiple values in a comma-separated list, and wildcards. For example:
*.microsoft.com,google.com,facebook.com
• Review these considerations for using wildcards.
DnsQueryTypeName • A
• NS
• MD
• MF
• CNAME
• SOA
• MB
• MG
• MR
• NULL
• WKS
• PTR
• HINFO
• MINFO
• MX
• TXT
• RP
• AFSDB
• X25
• ISDN
• RT
• NSAP
• NSAP-PTR
• SIG
• KEY
• PX
• GPOS
• AAAA
• LOC
• NXT
• EID
• NIMLOC
• SRV
The requested DNS attribute. The DNS resource record type name as defined by IANA.

ASIM normalized DNS schema

This table describes and translates Windows DNS server fields into the normalized field names as they appear in the DNS normalization schema.

Windows DNS field name Normalized field name Type Description
EventID EventOriginalType String The original event type or ID.
RCODE EventResult String The outcome of the event (success, partial, failure, NA).
RCODE parsed EventResultDetails String The DNS response code as defined by IANA.
InterfaceIP DvcIpAdrr String The IP address of the event reporting device or interface.
AA DnsFlagsAuthoritative Integer Indicates whether the response from the server was authoritative.
AD DnsFlagsAuthenticated Integer Indicates that the server verified all of the data in the answer and the authority of the response, according to the server policies.
RQNAME DnsQuery String The domain needs to be resolved.
QTYPE DnsQueryType Integer The DNS resource record type as defined by IANA.
Port SrcPortNumber Integer Source port sending the query.
Source SrcIpAddr IP address The IP address of the client sending the DNS request. For a recursive DNS request, this value is typically the reporting device's IP, in most cases, 127.0.0.1.
ElapsedTime DnsNetworkDuration Integer The time it took to complete the DNS request.
GUID DnsSessionId String The DNS session identifier as reported by the reporting device.

Next steps

In this article, you learned about the fields used to filter DNS log data using the Windows DNS events via AMA connector. To learn more about Microsoft Sentinel, see the following articles: