Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Count DNS failures for a source by source and type
Count the number of failed DNS queries for each source IP address and failure type
ASimDnsActivityLogs
| where EventType == 'Query' and EventResult == 'Failure'
| summarize count() by SrcIpAddr, EventResultDetails
Identify excessive query for a nonexistent domain by a source
Count the number of queries that return NXDOMAIN, indicating that the queries domain name does not exist, and compares the count to a threshold of 100.
ASimDnsActivityLogs
| where EventResultDetails == 'NXDOMAIN'
| summarize c=count() by SrcIpAddr
| where c > 100