This blog will give you insight on how to setup collection of DNS Events from Windows devices using Azure Monitor Agent (AMA).
This blog-post is part of a series of blog posts to master Azure logging in depth (overview).
To get you started, you can find ARM-templates & scripts in my AzureLogLibrary (github). Details will be covered in the articles.
How to start collecting DNS events using ARM-template ?
To get you started, check out the ARM-template on my Github
I do also provide more documentation and powershell script to deploy more DCRs
Lastly, I am also providing ‘Deploy to Azure’ shortcuts, based on the mentioned ARM-templates so you can deploy samples into your environment.
Filtering
As you can see in the sample ARM files, I have provided some samples for filtering.
Consider to adjust this according to your needs.
"Filters": [
{
"FilterName": "Website",
"Rules": [
{
"Field": "DvcIpAddr",
"FieldValues": [
"123.123.123.123"
]
}
]
},
{
"FilterName": "Exclude_MyCompany_Queries",
"Rules": [
{
"Field": "DnsQuery",
"FieldValues": [
"mycompanyname.com"
]
}
]
},
{
"FilterName": "Recurse_Query_Out",
"Rules": [
{
"Field": "EventOriginalType",
"FieldValues": [
"260"
]
}
]
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"WorkspaceResourceId": {
"type": "String",
"metadata": {
"description": "LogAnalytics Workspace Resource ID"
}
},
"WorkspaceLocation": {
"type": "String",
"metadata": {
"description": "LogAnalytics Workspace Location (e.g. westeurope)"
}
},
"DcrName": {
"type": "String",
"metadata": {
"description": "Data Collection Rule name"
}
},
"DcrResourceGroup": {
"type": "String",
"metadata": {
"description": "Data Collection Rule resource group"
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "[parameters('DcrName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-04-01",
"name": "[parameters('DcrName')]",
"location": "[parameters('WorkspaceLocation')]",
"properties": {
"description": "Data collection rule for VM Insights.",
"dataSources": {
"extensions": [
{
"streams": [
"Microsoft-ASimDnsActivityLogs"
],
"extensionName": "MicrosoftDnsAgent",
"extensionSettings": {
"Filters": [
{
"FilterName": "Website",
"Rules": [
{
"Field": "DvcIpAddr",
"FieldValues": [
"123.123.123.123"
]
}
]
},
{
"FilterName": "Exclude_MyCompany_Queries",
"Rules": [
{
"Field": "DnsQuery",
"FieldValues": [
"mycompanyname.com"
]
}
]
},
{
"FilterName": "Recurse_Query_Out",
"Rules": [
{
"Field": "EventOriginalType",
"FieldValues": [
"260"
]
}
]
}
]
},
"name": "ASimDnsActivityLogsTypeExtension"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('WorkspaceResourceId')]",
"name": "DnsDataCollection"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-ASimDnsActivityLogs"
],
"destinations": [
"DnsDataCollection"
]
}
]
}
}
]
}
},
"subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
"resourceGroup": "[parameters('DcrResourceGroup')]"
}
],
"outputs": {}
}