Windows DNS-and-Directory Services

Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names. The collection of DNS queries and responses are recommended in order to enable discovery of compromise or intrusion through security analytics.A number of the below event IDs will only be recorded with enhanced auditing enabled. See Network Forensics with Windows DNS Analytical Logging for more information.

Sections on this page

SIEM Events

DNS Request-and-Response

Requires enhanced auditing enabled. Event Source - Microsoft-Windows-DNSServer - Event Log - Microsoft-Windows-DNSServer/Analytical

DNS Query Complete

DNS query completed (Application DNS Lookup) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational

DNS Response Complete

DNS Query Response (DNS Cache service) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational

AIS Managed SIEM

Last modified March 24, 2021