← Back to Explore
kqlHunting
Detect Tor DNS request
Credit: Suraj Kumar. Modified from his query
Detection Query
DeviceNetworkEvents //Credit: Suraj Kumar. Modified from his query
| where TimeGenerated > ago(90d)
| extend AdditionalFields_query = tostring(parse_json(AdditionalFields)["query"])
| where AdditionalFields_query endswith ".onion"
| summarize count() by AdditionalFields_query, DeviceNameData Sources
DeviceNetworkEvents
Platforms
windows
Tags
defender
Raw Content
DeviceNetworkEvents //Credit: Suraj Kumar. Modified from his query
| where TimeGenerated > ago(90d)
| extend AdditionalFields_query = tostring(parse_json(AdditionalFields)["query"])
| where AdditionalFields_query endswith ".onion"
| summarize count() by AdditionalFields_query, DeviceName