DNS over AMA connector reference - available fields and normalization schema
Microsoft Sentinel allows you to stream and filter events from your Windows Domain Name System (DNS) server logs to the ASimDnsActivityLog
normalized schema table. This article describes the fields used for filtering the data, and the normalization schema for the Windows DNS server fields.
The Azure Monitor Agent (AMA) and its DNS extension are installed on your Windows Server to upload data from your DNS analytical logs to your Microsoft Sentinel workspace. You stream and filter the data using the Windows DNS Events via AMA connector.
Available fields for filtering
This table shows the available fields. The field names are normalized using the DNS schema.
Field name | Values | Description |
---|---|---|
EventOriginalType | Numbers between 256 and 280 | The Windows DNS eventID, which indicates the type of the DNS protocol event. |
EventResultDetails | • NOERROR • FORMERR • SERVFAIL • NXDOMAIN • NOTIMP • REFUSED • YXDOMAIN • YXRRSET • NXRRSET • NOTAUTH • NOTZONE • DSOTYPENI • BADVERS • BADSIG • BADKEY • BADTIME • BADALG • BADTRUNC • BADCOOKIE |
The operation's DNS result string as defined by the Internet Assigned Numbers Authority (IANA). |
DvcIpAdrr | IP addresses | The IP address of the server reporting the event. This field also includes geo-location and malicious IP information. |
DnsQuery | Domain names (FQDN) | The string representing the domain name to be resolved. • Can accept multiple values in a comma-separated list, and wildcards. For example: *.microsoft.com,google.com,facebook.com • Review these considerations for using wildcards. |
DnsQueryTypeName | • A • NS • MD • MF • CNAME • SOA • MB • MG • MR • NULL • WKS • PTR • HINFO • MINFO • MX • TXT • RP • AFSDB • X25 • ISDN • RT • NSAP • NSAP-PTR • SIG • KEY • PX • GPOS • AAAA • LOC • NXT • EID • NIMLOC • SRV |
The requested DNS attribute. The DNS resource record type name as defined by IANA. |
ASIM normalized DNS schema
This table describes and translates Windows DNS server fields into the normalized field names as they appear in the DNS normalization schema.
Windows DNS field name | Normalized field name | Type | Description |
---|---|---|---|
EventID | EventOriginalType | String | The original event type or ID. |
RCODE | EventResult | String | The outcome of the event (success, partial, failure, NA). |
RCODE parsed | EventResultDetails | String | The DNS response code as defined by IANA. |
InterfaceIP | DvcIpAdrr | String | The IP address of the event reporting device or interface. |
AA | DnsFlagsAuthoritative | Integer | Indicates whether the response from the server was authoritative. |
AD | DnsFlagsAuthenticated | Integer | Indicates that the server verified all of the data in the answer and the authority of the response, according to the server policies. |
RQNAME | DnsQuery | String | The domain needs to be resolved. |
QTYPE | DnsQueryType | Integer | The DNS resource record type as defined by IANA. |
Port | SrcPortNumber | Integer | Source port sending the query. |
Source | SrcIpAddr | IP address | The IP address of the client sending the DNS request. For a recursive DNS request, this value is typically the reporting device's IP, in most cases, 127.0.0.1 . |
ElapsedTime | DnsNetworkDuration | Integer | The time it took to complete the DNS request. |
GUID | DnsSessionId | String | The DNS session identifier as reported by the reporting device. |
Next steps
In this article, you learned about the fields used to filter DNS log data using the Windows DNS events via AMA connector. To learn more about Microsoft Sentinel, see the following articles:
- Get started detecting threats with Microsoft Sentinel.
- Use workbooks to monitor your data.