NXLog DNS Logs connector for Microsoft Sentinel
The NXLog DNS Logs data connector uses Event Tracing for Windows (ETW) for collecting both Audit and Analytical DNS Server events. The NXLog im_etw module reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Microsoft Sentinel in real time.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | NXLog_DNS_Server_CL |
| Data collection rules support | Not currently supported |
| Supported by | NXLog |
Query samples
DNS Server top 5 hostlookups
ASimDnsMicrosoftNXLog
| summarize count() by Domain
| take 5
| render piechart title='Top 5 host lookups'
DNS Server Top 5 EventOriginalTypes (Event IDs)
ASimDnsMicrosoftNXLog
| extend EventID=strcat('Event ID ',trim_end('.0',tostring(EventOriginalType)))
| summarize CountByEventID=count() by EventID
| sort by CountByEventID
| take 5
| render piechart title='Top 5 EventOriginalTypes (Event IDs)'
DNS Server analytical events per second (EPS)
ASimDnsMicrosoftNXLog
| where EventEndTime >= todatetime('2021-09-17 03:07')
| where EventEndTime < todatetime('2021-09-18 03:14')
| summarize EPS=count() by bin(EventEndTime, 1s)
| render timechart title='DNS analytical events per second (EPS) - All event types'
Vendor installation instructions
Note
This data connector depends on parsers based on Kusto functions deployed with the Microsoft Sentinel Solution to work as expected. The **ASimDnsMicrosoftNXLog ** is designed to leverage Microsoft Sentinel's built-in DNS-related analytics capabilities.
Follow the step-by-step instructions in the NXLog User Guide Integration Topic Microsoft Sentinel to configure this connector.