Collecting DNS events using Azure Monitor Agent

This blog will give you insight on how to setup collection of DNS Events from Windows devices using Azure Monitor Agent (AMA).

This blog-post is part of a series of blog posts to master Azure logging in depth (overview).

To get you started, you can find ARM-templates & scripts in my AzureLogLibrary (github). Details will be covered in the articles.

How to start collecting DNS events using ARM-template ?

To get you started, check out the ARM-template on my Github

I do also provide more documentation and powershell script to deploy more DCRs

Lastly, I am also providing ‘Deploy to Azure’ shortcuts, based on the mentioned ARM-templates so you can deploy samples into your environment.

Filtering

As you can see in the sample ARM files, I have provided some samples for filtering.

Consider to adjust this according to your needs.

"Filters": [
                                                            {
                                                                "FilterName": "Website",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "DvcIpAddr",
                                                                        "FieldValues": [
                                                                            "123.123.123.123"
                                                                        ]
                                                                    }
                                                                ]
                                                            },
                                                            {
                                                                "FilterName": "Exclude_MyCompany_Queries",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "DnsQuery",
                                                                        "FieldValues": [
                                                                            "mycompanyname.com"
                                                                        ]
                                                                    }
                                                                ]
                                                            },
                                                            {
                                                                "FilterName": "Recurse_Query_Out",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "EventOriginalType",
                                                                        "FieldValues": [
                                                                            "260"
                                                                        ]
                                                                    }
                                                                ]

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "WorkspaceResourceId": {
            "type": "String",
            "metadata": {
                "description": "LogAnalytics Workspace Resource ID"
            }
        },
        "WorkspaceLocation": {
            "type": "String",
            "metadata": {
                "description": "LogAnalytics Workspace Location (e.g. westeurope)"
            }
        },
        "DcrName": {
            "type": "String",
            "metadata": {
                "description": "Data Collection Rule name"
            }
        },
        "DcrResourceGroup": {
            "type": "String",
            "metadata": {
                "description": "Data Collection Rule resource group"
            }
		}
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2017-05-10",
            "name": "[parameters('DcrName')]",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {},
                    "variables": {},
                    "resources": [
                        {
                            "type": "Microsoft.Insights/dataCollectionRules",
                            "apiVersion": "2021-04-01",
                            "name": "[parameters('DcrName')]",
                            "location": "[parameters('WorkspaceLocation')]",
                            "properties": {
                                "description": "Data collection rule for VM Insights.",
                                "dataSources": {
                                    "extensions": [
                                                {
                                                    "streams": [
                                                        "Microsoft-ASimDnsActivityLogs"
                                                    ],
                                                    "extensionName": "MicrosoftDnsAgent",
                                                    "extensionSettings": {
                                                        "Filters": [
                                                            {
                                                                "FilterName": "Website",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "DvcIpAddr",
                                                                        "FieldValues": [
                                                                            "123.123.123.123"
                                                                        ]
                                                                    }
                                                                ]
                                                            },
                                                            {
                                                                "FilterName": "Exclude_MyCompany_Queries",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "DnsQuery",
                                                                        "FieldValues": [
                                                                            "mycompanyname.com"
                                                                        ]
                                                                    }
                                                                ]
                                                            },
                                                            {
                                                                "FilterName": "Recurse_Query_Out",
                                                                "Rules": [
                                                                    {
                                                                        "Field": "EventOriginalType",
                                                                        "FieldValues": [
                                                                            "260"
                                                                        ]
                                                                    }
                                                                ]
                                                            }
                                                        ]
                                                    },
                                                    "name": "ASimDnsActivityLogsTypeExtension"
										        }
                                    ]
                                },
                                "destinations": {
                                    "logAnalytics": [
                                        {
                                            "workspaceResourceId": "[parameters('WorkspaceResourceId')]",
                                            "name": "DnsDataCollection"
                                        }
                                    ]
                                },
                                "dataFlows": [
                                    {
                                        "streams": [
                                            "Microsoft-ASimDnsActivityLogs"
                                        ],
                                        "destinations": [
                                            "DnsDataCollection"
                                        ]
                                    }
                                ]
                            }
                        }
                    ]
                }
            },
            "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
            "resourceGroup": "[parameters('DcrResourceGroup')]"
		}
    ],
    "outputs": {}
}

Leave a Reply