Event ID 3008 — DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.

Message #

DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5

Fields #

Name	Description
`QueryName` UnicodeString	—
`QueryType` UInt32	—
`QueryOptions` UInt64	—
`QueryStatus` UInt32	—
`QueryResults` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3008,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033539+00:00",
    "event_record_id": 4,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 7344
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "QueryOptions": 720575941453045760,
    "QueryStatus": 87,
    "QueryResults": ""
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

DNS Query for Anonfiles.com Domain - DNS Client source high: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client source critical: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client source medium: Detects DNS queries for subdomains related to MEGA sharing website

Show 3 more (6 total)

DNS Query To Put.io - DNS Client source medium: Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client source high: Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client source low: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration