// Usage Instructions:// Paste the query below into the Log Analytics query editor.// Click the "Save" button and select "Save as function".// Enter "ASimDnsMicrosoftNXLog" in the "Function name" field.// For "Legacy category:" enter "DNS Server logs".// "Parameters" are not needed.// Function usually takes 10-15 minutes to activate.// You can then use this function from any other queries (e.g. ASimDnsMicrosoftNXLog | take 10).// Reference: Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functionslet ASimDnsMicrosoftNXLog = (disabled:bool=false) { let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[ 256, 'Query' , 257, 'Query' , 258, 'Query' , 259, 'Query' , 260, 'Query' , 261, 'Query' , 262, 'Query' , 263, 'Dynamic update' , 264, 'Dynamic update' , 265, 'Zone XFR' , 266, 'Zone XFR' , 267, 'Zone XFR' , 268, 'Zone XFR' , 269, 'Zone XFR' , 270, 'Zone XFR' , 271, 'Zone XFR' , 272, 'Zone XFR' , 273, 'Zone XFR' , 274, 'Zone XFR' , 275, 'Zone XFR' , 276, 'Zone XFR' , 277, 'Dynamic update' , 278, 'Dynamic update' , 279, 'Query' , 280, 'Query' ]; let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[ 256, 'request' , 257, 'response' , 258, 'response' , 259, 'response' , 260, 'request' , 261, 'response' , 262, 'response' , 263, 'request' , 264, 'response' , 265, 'request' , 266, 'request' , 267, 'response' , 268, 'response' , 269, 'request' , 270, 'request' , 271, 'response' , 272, 'response' , 273, 'request' , 274, 'request' , 275, 'response' , 276, 'response' , 277, 'request' , 278, 'response' , 279, 'response' , 280, 'response' ]; let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[ 256, 'NA' , 257, 'Success' , 258, 'Failure' , 259, 'Failure' , 260, 'NA' , 261, 'NA' , 262, 'Failure' , 263, 'NA' , 264, 'Based on RCODE' , 265, 'NA' , 266, 'NA' , 267, 'Based on RCODE' , 268, 'Based on RCODE' , 269, 'NA' , 270, 'NA' , 271, 'Based on RCODE' , 272, 'Based on RCODE' , 273, 'NA' , 274, 'NA' , 275, 'Success' , 276, 'Success' , 277, 'NA' , 278, 'Based on RCODE' , 279, 'NA' , 280, 'NA' ]; let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[ 0,'NOERROR' , 1,'FORMERR' , 2,'SERVFAIL' , 3,'NXDOMAIN' , 4,'NOTIMP' , 5,'REFUSED' , 6,'YXDOMAIN' , 7,'YXRRSET' , 8,'NXRRSET' , 9,'NOTAUTH' , 10,'NOTZONE' , 11,'DSOTYPENI' , 16,'BADVERS' , 16,'BADSIG' , 17,'BADKEY' , 18,'BADTIME' , 19,'BADMODE' , 20,'BADNAME' , 21,'BADALG' , 22,'BADTRUNC' , 23,'BADCOOKIE' ]; let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[ 0, 'Reserved' , 1, 'A' , 2, 'NS' , 3, 'MD' , 4, 'MF' , 5, 'CNAME' , 6, 'SOA' , 7, 'MB' , 8 ,'MG' , 9 ,'MR' , 10,'NULL' , 11,'WKS' , 12,'PTR' , 13,'HINFO' , 14,'MINFO' , 15,'MX' , 16,'TXT' , 17,'RP' , 18,'AFSDB' , 19,'X25' , 20,'ISDN' , 21,'RT' , 22,'NSAP' , 23,'NSAP-PTR' , 24,'SIG' , 25,'KEY' , 26,'PX' , 27,'GPOS' , 28,'AAAA' , 29,'LOC' , 30,'NXT' , 31,'EID' , 32,'NIMLOC' , 33,'SRV' , 34,'ATMA' , 35,'NAPTR' , 36,'KX' , 37,'CERT' , 38,'A6' , 39,'DNAME' , 40,'SINK' , 41,'OPT' , 42,'APL' , 43,'DS' , 44,'SSHFP' , 45,'IPSECKEY' , 46,'RRSIG' , 47,'NSEC' , 48,'DNSKEY' , 49,'DHCID' , 50,'NSEC3' , 51,'NSEC3PARAM' , 52,'TLSA' , 53,'SMIMEA' , 55,'HIP' , 56,'NINFO' , 57,'RKEY' , 58,'TALINK' , 59,'CDS' , 60,'CDNSKEY' , 61,'OPENPGPKEY' , 62,'CSYNC' , 63,'ZONEMD' , 64,'SVCB' , 65,'HTTPS' , 99,'SPF' , 100,'UINFO' , 101,'UID' , 102,'GID' , 103,'UNSPEC' , 104,'NID' , 105,'L32' , 106,'L64' , 107,'LP' , 108,'EUI48' , 109,'EUI64' , 249,'TKEY' , 250,'TSIG' , 251,'IXFR' , 252,'AXFR' , 253,'MAILB' , 254,'MAILA' , 255,'*' , 256,'URI' , 257,'CAA' , 258,'AVC' , 259,'DOA' , 32768,'TA' , 32769,'DLV' ]; NXLog_DNS_Server_CL | where not(disabled) | where EventID_d < 281 | project-rename DnsFlags=Flags_s, DnsQuery=QNAME_s, DnsQueryType=QTYPE_s, DnsResponseCode=RCODE_s, DnsResponseName=PacketData_s, Dvc=Hostname_s, EventOriginalType=EventID_d, EventOriginalUid=GUID_g, EventStartTime=EventTime_t, SrcIpAddr=Source_s, EventUid=_ItemId | extend DnsQuery=trim_end(".",DnsQuery), DnsQueryType=toint(DnsQueryType), DnsResponseCode=toint(DnsResponseCode), SrcPortNumber=toint(Port_s), DvcHostname=Dvc, DvcIpAddr=HostIP_s, EventEndTime=EventStartTime, EventProduct = "DNS Server", EventSchemaVersion = "0.1.7", EventVendor = "Microsoft", EventSchema = "Dns", EventCount = int(1), NetworkProtocol=iff(TCP_s == "0","UDP","TCP"), TransactionIdHex=tohex(toint(XID_s)), DnsFlagsAuthenticated = tobool(AD_s), DnsFlagsAuthoritative = tobool(AA_s), DnsFlagsRecursionDesired = tobool(RD_s) | lookup EventTypeTable on EventOriginalType | lookup EventSubTypeTable on EventOriginalType | lookup EventResultTable on EventOriginalType | lookup RCodeTable on DnsResponseCode | lookup QTypeTable on DnsQueryType | extend EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use' , 'Unassigned'), EventOriginalType = tostring(EventOriginalType) | extend Domain=DnsQuery, DnsResponseCodeName=EventResultDetails, DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName , DnsQueryType between (66 .. 98), 'Unassigned' , DnsQueryType between (110 .. 248), 'Unassigned' , DnsQueryType between (261 .. 32767), 'Unassigned' , 'Unassigned'), EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult) | extend // Aliases IpAddr = SrcIpAddr, Src = SrcIpAddr | project-away *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId};ASimDnsMicrosoftNXLog(disabled=disabled)