Muokkaa

Jaa


ASimDnsActivityLogs

The ASim DNS activity schema represents DNS protocol activity, which may be logged either by a DNS server or by a device sending DNS requests to a DNS server. The DNS protocol activity includes DNS queries, DNS server updates, and DNS bulk data transfers. Since the schema represents protocol activity, it is governed by RFCs and officially assigned parameter lists. The DNS activity schema does not represent DNS server audit events.

Table attributes

Attribute Value
Resource types microsoft.securityinsights/dnsnormalized
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries Yes

Columns

Column Type Description
AdditionalFields dynamic Additional information, represented using key/value pairs provided by the source which do not map to ASim.
_BilledSize real The record size in bytes
DnsFlags string The DNS request flags, as provided by the reporting device. The structure of the DNS flags information may vary between different reporting devices.
DnsFlagsAuthenticated bool The DNS authenticated answer flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. see RFC 3655 Section 6.1 for more information.
DnsFlagsAuthoritative bool The DNS authoritative answer flag indicates whether the response from the server was authoritative.
DnsFlagsCheckingDisabled bool The DNS CD flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query.
DnsFlagsRecursionAvailable bool The DNS RA flag indicates in a response that that server supports recursive queries.
DnsFlagsRecursionDesired bool The DNS recursion desired flag indicates in a request that that client would like the server to use recursive queries.
DnsFlagsTruncated bool The DNS TC flag indicates that a response was truncates as it exceeded the maximum response size.
DnsFlagsZ bool The DNS Z flag is a deprecated DNS flag, which might be reported by older DNS systems.
DnsNetworkDuration int The amount of time, in milliseconds, for the completion of DNS request.
DnsQuery string The domain that needs to be resolved.
DnsQueryClass int The DNS class ID as defined by the Internet Assigned Numbers Authority (IANA).
DnsQueryClassName string The DNS class name as defined by the Internet Assigned Numbers Authority (IANA).
DnsQueryType int The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA).
DnsQueryTypeName string The DNS resource record type name as defined by the Internet Assigned Numbers Authority (IANA).
DnsResponseCode int The DNS numerical response code as defined by the Internet Assigned Numbers Authority (IANA).
DnsResponseIpCity string The city associated with the response IP address.
DnsResponseIpCountry string The country associated with the response IP address.
DnsResponseIpLatitude real The Latitude of the geographical coordinate associated with the response IP address.
DnsResponseIpLongitude real The longitude of the geographical coordinate associated with the response IP address.
DnsResponseIpRegion string The region, or state, within a country, associated with the source IP address.
DnsResponseName string The content of the response, as included in the record. The structure of the DNS response data may vary between different reporting devices.
DnsSessionId string The DNS session identifier as reported by the reporting device.
Dst string A unique identifier of the server that received the DNS request.
DstDescription string A descriptive text associated with the destination.
DstDeviceType string The type of the destination device.
DstDomain string The domain of the destination device.
DstDomainType string The type of DstDomain.
DstDvcId string The ID of the destination device.
DstDvcIdType string The type of DstDvcId.
DstDvcScope string The cloud platform scope the destination device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.
DstDvcScopeId string The cloud platform scope ID the destination device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
DstFQDN string The destination device hostname, including domain information when available.
DstGeoCity string The city associated with the destination IP address.
DstGeoCountry string The country associated with the destination IP address.
DstGeoLatitude real The latitude of the geographical coordinate associated with the destination IP address.
DstGeoLongitude real The longitude of the geographical coordinate associated with the destination IP address.
DstGeoRegion string The region, or state, within a country, associated with the destination IP address.
DstHostname string The destination device hostname, excluding domain information.
DstIpAddr string The IP address of the server receiving the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to 127.0.0.1.
DstOriginalRiskLevel string The risk level associated with the destination device as reported by the reporting device.
DstPortNumber int Destination Port number.
DstRiskLevel int The risk level associated with the destination device.
Dvc string A unique identifier of the device reporting the event. The identifier can be either an IP Address, A hostname, or a device ID.
DvcAction string The action taken by the the reporting device on the request, such as blocking it.
DvcDescription string A descriptive text associated with the device. For example: Primary Domain Controller.
DvcDomain string The domain of the device reporting the event.
DvcDomainType string The type of DvcDomain. Possible values include "Windows" and "FQDN".
DvcFQDN string The fully qualified hostname, including domain information, of the device reporting the event.
DvcHostname string The hostname of the device reporting the event.
DvcId string The unique ID of the device reporting the event.
DvcIdType string The type of DvcId.
DvcInterface string The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device.
DvcIpAddr string The IP Address of the device reporting the event.
DvcMacAddr string The MAC address of the device reporting the event.
DvcOriginalAction string The original DvcAction as provided by the reporting device.
DvcOs string The operating system running on the device reporting the event.
DvcOsVersion string The version of the operating system on the device reporting the event.
DvcScope string The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.
DvcScopeId string The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
DvcZone string The network segment of the device reporting the event.
EventCount int The number of events described by the record. This value is used when the source supports aggregation, and a single record may represent multiple events.
EventEndTime datetime The time at which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventMessage string A general message or description.
EventOriginalSeverity string The original severity as provided by the reporting device. This value is used to derive EventSeverity.
EventOriginalType string The original event type or ID, for example, the original Windows event ID.
EventOriginalUid string A unique ID of the original record.
EventOwner string The owner of the event, which is usually the department or subsidiary in which it was generated.
EventProduct string The product generating the event.
EventProductVersion string The version of the product generating the event.
EventReportUrl string A URL of a resource that provides additional information about the event.
EventResult string The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.
EventResultDetails string The DNS response code as defined by the Internet Assigned Numbers Authority (IANA).
EventSchemaVersion string The version of the schema.
EventSeverity string The severity of the event. Valid values are: Informational, Low, Medium, or High.
EventStartTime datetime The time at which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.
EventSubType string Either request or response.
EventType string Indicates the operation reported by the record. For DNS activity events, this value is the DNS opcode as defined by the Internet Assigned Numbers Authority (IANA).
EventVendor string The vendor of the product generating the event.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
NetworkProtocol string The transport protocol used by the network resolution event. The value can be UDP or TCP.
NetworkProtocolVersion string The version of the network protocol. Typically used to differentiate between IPv4 and Ipv6.
_ResourceId string A unique identifier for the resource that the record is associated with
RuleName string The name or ID of the rule by associated with the inspection results.
RuleNumber int The number of the rule associated with the inspection results.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
Src string A unique identifier of the source device.
SrcDescription string The number of the rule associated with the inspection results.
SrcDeviceType string The type of the source device.
SrcDomain string The domain of the source device.
SrcDomainType string The type of SrcDomain.
SrcDvcId string The ID of the source device.
SrcDvcIdType string The type of SrcDvcId.
SrcDvcScope string The cloud platform scope the source device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.
SrcDvcScopeId string The cloud platform scope ID the source device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.
SrcFQDN string The source device hostname, including domain information.
SrcGeoCity string The city associated with the source IP address.
SrcGeoCountry string The country associated with the source IP address.
SrcGeoLatitude real The latitude of the geographical coordinate associated with the source IP address.
SrcGeoLongitude real The longitude of the geographical coordinate associated with the source IP address.
SrcGeoRegion string The region, or state, within a country, associated with the source IP address.
SrcHostname string The source device hostname, excluding domain information.
SrcIpAddr string The IP address of the client sending the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases, set to 127.0.0.1.
SrcOriginalRiskLevel string The risk level associated with the source device as reported by the reporting device.
SrcOriginalUserType string The original source user type, as provided by the source.
SrcPortNumber int Source port of the DNS query.
SrcProcessGuid string A generated unique identifier (GUID) of the process that initiated the DNS request.
SrcProcessId string The process ID (PID) of the process that initiated the DNS request.
SrcProcessName string The name of the process that initiated the DNS request.
SrcRiskLevel int The risk level associated with the source device.
SrcUserId string A machine-readable, alphanumeric, unique representation of the source user.
SrcUserIdType string The type of the ID stored in the SrcUserId field.
SrcUsername string The Source username, including domain information when available.
SrcUsernameType string The type of the username stored in the SrcUsername field.
SrcUserScope string The scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.
SrcUserScopeId string The ID of the scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.
SrcUserSessionId string The unique ID of the sign-in session of the source user.
SrcUserType string The type of the source user.
_SubscriptionId string A unique identifier for the subscription that the record is associated with
TenantId string The Log Analytics workspace ID
ThreatCategory string If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category.
ThreatConfidence int The confidence level of the threat identified, normalized to a value between 0 and a 100.
ThreatField string The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName.
ThreatFirstReportedTime string The first time the IP address or domain were identified as a threat.
ThreatFirstReportedTime_d datetime The first time the IP address or domain were identified as a threat.
ThreatId string The ID of the threat or malware identified in the web session.
ThreatIpAddr string An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. If a threat is identified in the Domain field, this field should be empty.
ThreatIsActive bool True ID the threat identified is considered an active threat.
ThreatLastReportedTime string The last time the IP address or domain were identified as a threat.
ThreatLastReportedTime_d datetime The last time the IP address or domain were identified as a threat.
ThreatName string The name of the threat identified, as reported by the reporting device.
ThreatOriginalConfidence string The original confidence level of the threat identified, as reported by the reporting device.
ThreatOriginalRiskLevel int The original risk level associated with the threat identified, as reported by the reporting device.
ThreatOriginalRiskLevel_s string The risk level associated with the threat identified, normalized to a value between 0 and a 100.
ThreatRiskLevel int The risk level associated with the threat identified, normalized to a value between 0 and a 100.
TimeGenerated datetime The timestamp (UTC) reflecting the time in which the event was generated.
TransactionIdHex string The DNS unique hex transaction ID.
Type string The name of the table
UrlCategory string A DNS event source may also look up the category of the requested Domains.