DnsAuditEvents

DNS server audit events enable change tracking on the DNS server. An audit event is logged each time server, zone, or resource record settings are changed. This includes operational events such as zone transfers, and DNSSEC zone signing and unsigning. This table captures audit events that are not from dynamic updates.

Table attributes

Attribute Value
Resource types microsoft.securityinsights/securityinsights
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation No
Sample Queries -

Columns

Column Type Description
Action string If a query meets the criteria of a policy, the action is the response that the policy requires.
ActiveKey string Signing key of the KSK's active key.
AdditionalData dynamic Additional information not already scoped into its own dedicated field.
Base64Data string Key data.
_BilledSize real The record size in bytes
BufferSize int Size of the buffer used for logging the event data.(in bytes)
ChildZone string Name of a child zone.
ClientSubnetList string The list of IPv4 and IPv6 of the client subnet.
ClientSubnetRecord string Then name of the client subnet.
Condition string Specific circumstances or requirements that trigger certain actions or policies.
Criteria string Criteria or conditions that triggered the event.
CryptoAlgorithm string The cryptographic algorithm used for securing DNS-related operations.
CurrentRolloverStatus string The state of the key rollover process from one key to another.
CurrentState string The current status of a DNS key or zone.
DenialOfExistence string The method used to prove that a certain DNS record does not exist.
Digest string A secure fingerprint, allowing DNS resolvers to validate the authenticity of the trust anchor information.
DigestType string Specifies the type of cryptographic hash algorithm used for generating the digest (hash) value.
DistributeTrustAnchor string Relates to the distribution of a trust anchor for DNSSEC, which is a secure public key that helps in the validation of DNS data.
DnsKeyRecordSetTtl int The time-to-live (TTL) value assigned to DNSKEY records when signing a DNS zone. This value determines how long a DNSKEY record will be considered valid before it needs to be refreshed.
DnsKeySignatureValidityPeriod int The duration in seconds that a DNSKEY record's signature is considered valid.
DnsQuery string The domain that needs to be resolved.
DnsQueryType int The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA).
DSRecordGenerationAlgorithm string The algorithm used to generate the Delegation Signer (DS) record from the DNSKEY record.
DSRecordSetTtl int The time-to-live (TTL) value for the DS (Delegation Signer) record set.
DSSignatureValidityPeriod int The period in seconds that a DS (Delegation Signer) record's signature is considered valid.
EnableRfc5011KeyRollover string The process of automating the update and rollover of DNSSEC keys in accordance with RFC 5011 standards.
EventGuid string Unique identifier for the specific event.
EventId string Identifier for the underlying Windows event.
EventString string Human-readable description of the event.
EventType string Type of DNS event (e.g., zone transfer, dynamic update, DNSSEC signing).
FilePath string The location of a file or directory that the DNS server is interacting with.
Forwarders string DNS forwarders used by the server.
InitialRolloverOffset int The initial time delay (in seconds) before the first rollover action is triggered for a DNSSEC key.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsEnabled string This parameter indicates whether the policy or exception list is currently active.
IsKeyMasterServer string Whether the DNS server is the key master server for a DNSSEC-signed zone.
KeyId string The unique identifier of a DNSSEC signing key.
KeyLength int The length of the cryptographic key used in DNSSEC signing operations.
KeyMasterServer string The DNS server that is responsible for generating and managing the DNSSEC keys for a zone.
KeyOrZone string The signing key used for authentication and data integrity in a specific DNS zone.
KeyProtocol string Protocol used for DNSSEC key management (e.g., DNSKEY, DS).
KeyStorageProvider string The system or service that is responsible for securely storing the DNSSEC keys.
KeyTag int A numeric identifier for the cryptographic key used by the DS record.
KeyType string The type of DNSSEC signing key being used.
KskOrZsk string The type of signing key used in a specific DNS zone.
LastRolloverTime datetime The last time a rollover process took place.
ListenAddresses string IP addresses on which the DNS server listens.
LookupValue string Type of DNS lookup (e.g., recursive, iterative).
MasterServer string The primary DNS server from which a secondary DNS server obtains zone data.
Name string Specifies the domain name or hostname associated with a specific record.
NameServer string Name server responsible for the DNS event.
NewPropertyValues string The set of properties after they were updated for a specific policy or exception list in the DNS server or zone.
NewValue string The updated value assigned to a specific property key within the DNS zone.
NextKey string The upcoming key that will be used in the DNS zone signing process after the current active and standby keys.
NextRolloverAction string The rollover action performed.
NextRolloverTime datetime The next time a rollover process should happen.
NodeName string The node name within the DNS zone.
NSec3HashAlgorithm int The cryptographic hash algorithm used in the NSEC3 protocol for DNSSEC.
NSec3Iterations int The number of additional hashing iterations a DNSSEC-enabled DNS server uses.
NSec3OptOut string Indicates if the DNSSEC NSEC3 protocol is configured to allow unsigned delegations.
NSec3RandomSaltLength int The length of the random salt value used in the NSEC3 protocol for DNSSEC.
NSec3UserSalt string The user-defined salt value used in the NSEC3 protocol for DNSSEC.
OldPropertyValues string The set of properties before they were updated for a specific policy or exception list in the DNS server or zone.
ParentHasSecureDelegation string Whether the parent zone has a secure delegation to the child zone.
Policy string Defines rules or guidelines for managing specific aspects of DNS behavior.
ProcessingOrder int Determines the sequence in which policies are applied.
PropagationTime int Time taken for the event information to propagate. Duration (e.g., milliseconds) or "Immediate" if no delay.
PropertyKey string Specific property or setting affected by the event.
RDATA string Represents the data of the resource record that was created, deleted, or scavenged in the DNS zone.
RecursionScope string A specific area or set of conditions under which DNS recursion is allowed or applied on a DNS server.
ReplicationScope string Scope of DNS replication (e.g., forest-wide, domain-specific).
_ResourceId string A unique identifier for the resource that the record is associated with
RolloverPeriod int Time interval for log rollover (e.g., daily, weekly).
RolloverType string Type of rollover (e.g., overwrite, append).
ScavengeServers string Servers involved in DNS scavenging (aging and cleanup of stale records).
Scope string The scope of the event (e.g., server-wide, zone-specific).
Scopes string DNS scopes impacted by the event (e.g., global, local).
SecureDelegationPollingPeriod int Interval for polling secure delegation information. Numeric value (e.g., minutes) or "Disabled" if not applicable.
SeizedOrTransferred string Refers to the action taken, either a seizure (when control is forcibly transferred) or a voluntary transfer of the key master role.
ServerName string Represents the DNS server where the policy or exception list is being configured.
Setting string Specific DNS configuration setting modified by the event.
SignatureInceptionOffset int Offset time for DNSSEC signature inception. Duration (e.g., seconds) or "Immediate" if no delay.
Source string Source of the DNS event (e.g., server, client).
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StandbyKey string the backup key that will be used if the current active key is compromised or needs to be replaced in the DNS zone signing process.
StoreKeysInAD string Specifies whether the keys are stored in Active Directory Domain Services (AD DS). This setting applies only to Active Directory-integrated zones when the vendor of KeyStorageProvider is Microsoft.
_SubscriptionId string A unique identifier for the subscription that the record is associated with
SubTreeAging string Mechanism that affects the aging (expiration) of DNS records within a specific subtree or branch of a DNS zone.
TenantId string The Log Analytics workspace ID
TimeGenerated datetime The timestamp (UTC) of when the event was generated.
TTL int The time-to-live for the DNS record, indicating how long the record should be cached before it is discarded or refreshed.
Type string The name of the table
VirtualizationID string A unique key to manage and coordinate activities within the virtualized environment.
WithNewKeys string Indicates whether new DNSSEC keys were generated.
WithWithout string Whether key signing key (KSK) metadata is included or excluded when exporting DNSSEC settings for a specific zone.
Zone string The zone related to the activity.
ZoneFile string The name of the zone file.
ZoneName string The name of a DNS zone on which the zone which the event relates to.
ZoneScope string A list of scopes and weights for the zone.
ZoneSignatureValidityPeriod int The amount of time that signatures that cover all other record sets are valid.