How to Set Up and Use DNS Logs in the Mcafee ESM

Version 3

    Introduction


    DNS logs are an excellent source of data within an organization. It can be automatically correlated with other threat intelligence within the McAfee ESM and provide alerts when suspicious activity is detected.


    There are many sources of threat intelligence that the McAfee ESM can gather, from the built in Global Threat Intelligence watchlists to importing IOCs and threat feeds .


    In this document, we'll take a look at how to configure a Microsoft DNS server to send the DNS logs over to the McAfee ESM for analysis and provide useful security information.


    Setting up the DNS Server as a Data Source for the McAfee ESM


    The first step is to enable the DNS logs on the Microsoft DNS Server. On your Microsoft DNS Server, perform the following:

    1. Open the Domain Name System Microsoft Management Console (DNS MMC) snapin.
    2. Click Start, Programs, Administrative Tools, and then DNS.
    3. From the DNS Server, right-click the server and select Properties submenu.
    4. The Properties pop-window will appear on your screen.
    5. Select the Debug Logging tab and the Log packets debugging check box, respectively.
    6. Ensure that the Incoming, UDP, Queries/Transfer, and Request check boxes are selected.
    7. File is located at: systemroot\System32\Dns\Dns.log

     

    01.png

     

    Next, configure the McAfee SIEM Collector to send the DNS logs over to the McAfee SIEM.

     

    Download the collector from the McAfee product download site.

     

    http://www.mcafee.com/us/downloads/downloads.aspx

     

    After the collector is installed, open the McAfee SIEM Collector Management Utility.

     

    For the Receiver options, enter your ESM Receiver IP address:

     

    02.png

     

    Under the Event Collectors, right click on it and create a new group. I named my group Microsoft.

     

    In the group options, enter your credentials for the Windows Server. These credentials are to access the DNS logs.

     

    03.png

     

    Right click on your group and click on Add Host. This will be the settings for your host and collector. Enter your Host Name/IP at the top.

    Next, create and name a new configuration and enter the details for your DNS log. We're going to tail the end of the log file and send it to the McAfee ESM.

    Log Directory: C:\Windows\System32\dns

    Log File: dns.log

    Tail Mode: End of file

    Enabled: Checked

     

    04.png

     

    Great, now that the DNS Server and collector are set up, we will want to add this as a device on the McAfee ESM.

     

    Setting up the McAfee ESM Receiver


    1. Select the Receiver where you will be adding the data source.
    2. After selecting the Receiver, click the “Add Data Source” icon.


    05.png


    On the Data Source Screen


    Data Source Vendor – Microsoft

    Data Source Model – Windows DNS (ASP)

    Data Format – Default

    Data Retrieval – MEF

    Enabled: Parsing/Logging/SNMP Trap – <Default>

    Name – Name of data source

    IP Address/Hostname – The IP address and host name associated with the data source device (IP must match that of the SIEM collector’s)

    Host ID – Host ID associated with the SIEM Collector log tail configuration if applicable

    Support Generic Syslogs – Do nothing

    Time Zone – Time zone of data being sent.


    06.png


    Utilizing the Data


    Now that you have the DNS data in your McAfee ESM, you can gather very useful information from the logs.


    McAfee ESM includes Content Packs which include prepackaged sets of views, alarms, reports, watchlists,  variables, and correlation rules. One of the available content packs is the DNS Content Pack, which can be downloaded in the McAfee ESM by going to the Content Pack section in the System Properties > Click Browse > and then select the DNS Content Pack and click install


    08.png

     

    08.png

     

    After the DNS Content Pack is installed, we will modify one of the Correlation Rules to fit our environment.

     

    First, go to the correlation rules section by clicking on the Correlation icon in the top right.


    09.png


    Next, select the "DNS - Communication with Malicious Host - Event or Flow" rule and use the  Edit Menu drop-down and select Copy and then Open it up again and select Paste. This will create a duplicate of the event.


    10.png


    Now, select the newly created correlation rule and go to Edit > Modify.


    First, let's change the Name of this correlation rule by putting a Modified at the end. Next, click on the drop-down in the filter of the rule and select Edit.


    11.png


    Uncheck the Flows option and click on the Add button on the right.


    12.png


    We're going to match this correlation rule with the event "Win_DNS A Query Sent", which includes the client's IP address for DNS requests. The Signature ID of this event is 266-1013188. When we add it, it should look like this.


    13.png


    Now, we'll want to remove the Destination Port by selecting it and clicking Delete.


    14.png


    Okay, now we have our correlation rule set up. This rule will trigger any time a client communicates with a malicious host. When you look at the rule, make note of the Signature ID of the rule (your Signature ID for your newly created rule will be different than mine). We will use it to create an alarm which will automatically notify you if this rule is triggered.


    15.png


    There are also other Correlation Rules built into the DNS Content Pack that can provide you with important events. Some of them are:


    • DNS - Multiple Recon Events from a Local Host
    • DNS - Multiple Recon Events from a Remote Host
    • DNS - Possible DNS Amplification Attack
    • DNS - Possible DNS connection or Unauthorized DNS server
    • DNS - Traffic with a Passive DNS known Malware Domain


    Content Packs can also be updated with new rules and other elements in the future.


    Creating an Alarm


    Using the correlation rules, you can create an alarm to alert you whenever there is suspicious activity. You will want to be careful and not create too many low value alarms because the signal to noise ratio will be too high and you'll just end up ignoring all of them, even if there is critical alert. That being said, alarms are helpful to notify you if an important event is occurring.


    To create an alarm, go to your System Information panel and click Alarms, then click Add

     

    Enter a name such as "Client Communicating with Malicious Host"


    16.png


    Now, click on the Condition tab. For the Type, select Internal Event Match

    For the Field, select Signature ID

    For the Value, enter the Signature ID of your Correlation Rule


    17.png


    For the Devices tab, select your correlation device.


    18.png


    In the Actions tab, check the Send Message: box and configure it to send it to your administrators.


    19.png


    After that, you can also add an escalation if no one acknowledges the alarm within a certain period of time.


    20.png


    After you've configured the alarm, just click finish. Now, anytime the correlation rule is triggered, it will automatically send out an email notifying you of the incident.