Hi Team, Here is a Live Discover Query for all DNS requests in a particular time frame from a device. You can use % for all processes or search for a particular process.
-- DNS Lookups by Process
-- $$Start Time$$ DATE
-- $$End Time$$ DATE
-- $$Process Name$$ STRING (Use % as wildcard, for example mcs% )
sophos_dns_journal AS sdj
sophos_process_journal AS spj
sdj.sophos_pid = spj.sophos_pid
sdj.time > '$$Start Time$$' AND
sdj.time < '$$End Time$$' AND
lower(spj.process_name) LIKE (lower('$$Process Name$$'))
ORDER BY spj.process_name
This is a good approach to localize an unknown app for ZTNA as well. If you have a process that does not work, you can remotely look for all used DNS requests to allow them through.