Queries for the DnsEvents table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Clients Resolving Malicious Domains

Distinct clients resolving malicious domains.

DnsEvents
| where SubType == 'LookupQuery' and isnotempty(MaliciousIP)
| summarize count() by ClientIP