DNS

TI map IP entity to DnsEvents

See the DNS query events

DnsEvents
| where IPAddresses has "69.16.175.42"
| order by TimeGenerated asc
| project TimeGenerated, Computer, ClientIP, Name, IPAddresses

Results:

09/02/2023 15:22:34.670 MACHINEDC.contoso.org 10.1.1.5 tg1.aniview.com 69.16.175.42, 69.16.175.10

So, the DNSs were:

player.aniview.com
tg1.aniview.com

Search for more activity relating to the domain and or IP

search 'aniview' and 'MACHINEDC'
| where $table !in ("")
| where TimeGenerated > ago(2d)
| order by TimeGenerated asc

Than we analyze the results, looking for what initiated the DNS query (executable, link, etc).

Further investigation can be done using the following queries:

What opened the URL

DeviceNetworkEvents
| where RemoteUrl has "player.aniview.com"
| order by TimeGenerated asc
| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP

Check every procces ran at the machine

DeviceProcessEvents
| where DeviceName has "MACHINEDC"
| where TimeGenerated > ago(2d)
| order by TimeGenerated asc
| project TimeGenerated, FileName, FolderPath, ProcessCommandLine, MD5, InitiatingProcessFolderPath

DNS

TI map IP entity to DnsEvents​

TI map IP entity to DnsEvents