Windows DNS/Directory Services
Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names. The collection of DNS queries and responses are recommended in order to enable discovery of compromise or intrusion through security analytics.A number of the below event IDs will only be recorded with enhanced auditing enabled. See [Network Forensics with Windows DNS Analytical Logging](http://blogs.technet.com/b/teamdhcp/archive/2015/11/24/network-forensics-with-windows-dns-analytical-logging.aspx) for more information.
Related Solution
AIS Managed SIEM
SIEM Events
DNS Request/Response
Requires enhanced auditing enabled. Event Source - Microsoft-Windows-DNSServer - Event Log - Microsoft-Windows-DNSServer/Analytical
DNS Query Complete
DNS query completed (Application DNS Lookup) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational
DNS Response Complete
DNS Query Response (DNS Cache service) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational
Last modified
September 14, 2021