You are a security analyst looking to improve threat detection on your endpoints. You already use Sysmon, particularly event code 1, process creation, to gain fidelity into programs starting on your systems, but you know there are other Sysmon events that you may want to utilize during your hunts. You're especially interested in digging more into the detail of DNS queries, which could complement your existing hunt techniques and potentially also help you drive more automation.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=22 EventDescription="DNS Query" host="<hostname>" Image="[C:\\Program Files(x86)\\Microsoft\\Edge\\Application\\msedge.exe]" QueryName="<URL>"
|source="xmlwineventlog:microsoft-windows-sysmon/operational"||Search only Sysmon operational data.|
|EventCode=22 EventDescription="DNS Query"
|Search for event code 22, DNS queries being executed, by a specific path on a specific host.|
|QueryName="<URL>"||Search for the URL specified.|
Here is an example result, showing host bstoll-1 using Microsoft Edge to lookup www.blogger.com and getting an IP address back in response:
In this example, the result is benign, but this search could return both benign and suspicious results. Modifying the image on a suspect host could yield greater insight on domain queries.
The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case: