Queries for the ASimDnsActivityLogs table

Article
11/01/2024

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Count DNS failures for a source by source and type

Count the number of failed DNS queries for each source IP address and failure type

ASimDnsActivityLogs
| where EventType == 'Query' and EventResult == 'Failure'
| summarize count() by SrcIpAddr, EventResultDetails

Identify excessive query for a nonexistent domain by a source

Count the number of queries that return NXDOMAIN, indicating that the queries domain name does not exist, and compares the count to a threshold of 100.

ASimDnsActivityLogs
| where EventResultDetails == 'NXDOMAIN'
| summarize c=count() by SrcIpAddr
| where c > 100

Queries for the ASimDnsActivityLogs table

Count DNS failures for a source by source and type

Identify excessive query for a nonexistent domain by a source

Additional resources