Data Source: Sysmon EventID 22

Date: 2025-07-10

ID: 911538b2-eba7-4d3e-85e8-d82d380c37bf

Author: Patrick Bareiss, Splunk

Description

Logs DNS query events, including details about the queried domain, source IP, query type, and response data.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Local LLM Framework DNS Query	Gather Victim Network Information	Hunting
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Windows AI Platform DNS Query	DNS	Anomaly
Windows BitLockerToGo with Network Activity	System Binary Proxy Execution	Hunting
Windows DNS Query Request To TinyUrl	Ingress Tool Transfer	Anomaly
Windows Visual Basic Commandline Compiler DNSQuery	DNS	TTP
3CX Supply Chain Attack Network Indicators	Compromise Software Supply Chain	TTP
Detect DNS Query to Decommissioned S3 Bucket	Data Destruction	Anomaly
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Detect Remote Access Software Usage DNS	Remote Access Tools	Anomaly
DNS Kerberos Coercion	LLMNR/NBT-NS Poisoning and SMB Relay, Forced Authentication, DNS	TTP
DNS Query Length With High Standard Deviation	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly
Ngrok Reverse Proxy on Network	Protocol Tunneling, Proxy, Web Service	Anomaly
Rundll32 DNSQuery	Rundll32	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Suspicious Process With Discord DNS Query	Visual Basic	Anomaly
Wermgr Process Connecting To IP Check Web Services	IP Addresses	TTP
Windows Abused Web Services	Web Service	Anomaly
Windows DNS Query Request by Telegram Bot API	DNS, Bidirectional Communication	Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses	Anomaly
Windows Multi hop Proxy TOR Website Query	Mail Protocols	Anomaly
Windows Spearphishing Attachment Connect To None MS Office Domain	Spearphishing Attachment	Hunting

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">QueryName</span>
  
  <span class="pill kill-chain">QueryResults</span>
  
  <span class="pill kill-chain">QueryStatus</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">query</span>
  
  <span class="pill kill-chain">query_count</span>
  
  <span class="pill kill-chain">reply_code_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-24T12:25:15.098978900Z'/><EventRecordID>113892</EventRecordID><Correlation/><Execution ProcessID='2332' ThreadID='3400'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-299.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-24 12:25:12.840</Data><Data Name='ProcessGuid'>{3CFDEE80-2F7D-605B-F50A-00000000AE01}</Data><Data Name='ProcessId'>7172</Data><Data Name='QueryName'>50.220.65.3.spam.dnsbl.sorbs.net</Data><Data Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Windows\System32\wermgr.exe</Data></EventData></Event>

Required Output Fields

answer
answer_count
query
query_count
reply_code_id
src
vendor_product

Source: GitHub | Version: 3