Data Source: Sysmon EventID 22

Date: 2026-05-13

ID: 911538b2-eba7-4d3e-85e8-d82d380c37bf

Author: Patrick Bareiss, Splunk

Description

Logs DNS query events, including details about the queried domain, source IP, query type, and response data.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Windows DNS Query Request To TinyUrl	Ingress Tool Transfer	Anomaly
Windows BitLockerToGo with Network Activity	System Binary Proxy Execution	Hunting
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Windows AI Platform DNS Query	DNS	Anomaly
Windows Visual Basic Commandline Compiler DNSQuery	DNS	TTP
Local LLM Framework DNS Query	Gather Victim Network Information	Hunting
3CX Supply Chain Attack Network Indicators	Compromise Software Supply Chain	TTP
Windows Multi hop Proxy TOR Website Query	Mail Protocols	Anomaly
DNS Query Length With High Standard Deviation	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly
Wermgr Process Connecting To IP Check Web Services	IP Addresses	TTP
Detect Remote Access Software Usage DNS	Remote Access Tools	Anomaly
Detect DNS Query to Decommissioned S3 Bucket	Data Destruction	Anomaly
Windows DNS Query Request by Telegram Bot API	DNS, Bidirectional Communication	Anomaly
Suspicious Process With Discord DNS Query	Visual Basic	Anomaly
Rundll32 DNSQuery	Rundll32	TTP
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses	Anomaly
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Windows Abused Web Services	Web Service	Anomaly
Ngrok Reverse Proxy on Network	Proxy, Web Service, Protocol Tunneling	Anomaly
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
DNS Kerberos Coercion	DNS, Forced Authentication, Name Resolution Poisoning and SMB Relay	TTP
Windows Spearphishing Attachment Connect To None MS Office Domain	Spearphishing Attachment	Hunting

Supported Apps

Splunk Add-on for Sysmon (version 5.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">QueryName</span>
  
  <span class="pill kill-chain">QueryResults</span>
  
  <span class="pill kill-chain">QueryStatus</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SecurityID</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">TimeCreated</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">query</span>
  
  <span class="pill kill-chain">query_count</span>
  
  <span class="pill kill-chain">reply_code_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-24T12:25:15.098978900Z'/><EventRecordID>113892</EventRecordID><Correlation/><Execution ProcessID='2332' ThreadID='3400'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-299.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-24 12:25:12.840</Data><Data Name='ProcessGuid'>{3CFDEE80-2F7D-605B-F50A-00000000AE01}</Data><Data Name='ProcessId'>7172</Data><Data Name='QueryName'>50.220.65.3.spam.dnsbl.sorbs.net</Data><Data Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Windows\System32\wermgr.exe</Data></EventData></Event>

Required Output Fields

answer
answer_count
query
query_count
reply_code_id
src
vendor_product

Source: GitHub | Version: 4