Adversaries may use a shared DNS suffix across multiple devices to mask lateral movement or command-and-control communications. SOC teams should proactively hunt for this behavior to identify potential coordinated attacks or compromised device groups within their Azure Sentinel environment.
KQL Query
DeviceInfo
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, DeviceName) by DeviceId
| extend DeviceMachineName = split(DeviceName, '.')[0]
| extend DeviceDomain = substring(DeviceName, strlen(DeviceMachineName) + 1, strlen(DeviceName) - strlen(DeviceMachineName) - 1)
| summarize count() by DeviceDomain
id: fcd06834-86f9-43ce-817a-b5104ef279e0
name: Device Count by DNS Suffix
description: |
This query will count the number of devices in Defender ATP based
on their DNS suffix. For a full list of devices with the DNS
suffix, comment out or remove the last line.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
query: |
DeviceInfo
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, DeviceName) by DeviceId
| extend DeviceMachineName = split(DeviceName, '.')[0]
| extend DeviceDomain = substring(DeviceName, strlen(DeviceMachineName) + 1, strlen(DeviceName) - strlen(DeviceMachineName) - 1)
| summarize count() by DeviceDomain
Scenario: Scheduled job runs a system inventory update that temporarily registers new DNS suffixes on multiple devices.
Filter/Exclusion: Exclude devices that have a LastLogonTimestamp older than 7 days or that are associated with known system inventory tools (e.g., Microsoft Deployment Toolkit, SCCM, or Intune).
Scenario: IT administrators manually update DNS settings across multiple devices during a network configuration change.
Filter/Exclusion: Exclude devices that are flagged as “IT Managed” in the DeviceTags field or have a UserPrincipalName containing “IT” or “Admin”.
Scenario: A backup or synchronization tool (e.g., Veeam, SyncToy, or OneDrive) temporarily modifies DNS suffixes on endpoints during data transfer.
Filter/Exclusion: Exclude devices that have a ProcessName matching known backup tools (e.g., VeeamBackup.exe, SyncToy.exe, OneDrive.exe) or have a UserPrincipalName associated with backup services.
Scenario: A domain controller or DNS server is performing a DNS zone transfer or replication, causing temporary DNS suffix changes on client devices.
Filter/Exclusion: Exclude devices that are members of the Domain Admins group or have a DNSDomain matching the internal domain name (e.g., example.com).
Scenario: A system update or patching process (e.g., via Windows Update, WSUS, or Microsoft Endpoint Manager) temporarily alters DNS suffixes on a group of devices.
Filter/Exclusion: Exclude devices that have a LastLogonTimestamp within the last 24 hours or that are associated with update management tools (e.g., Windows Update, Microsoft Intune, or WSUS).