cancel
Showing results for 
Search instead for 
Did you mean: 
Fynix
Level 7
Report Inappropriate Content
Message 1 of 4

Domain Field Blank in Windows DNS Events

Jump to solution

Hello,

My organization has several DNS servers setup as data sources feeding events into ESM.  I am wanting to modify the default aggregation settings for the DNS events generated In order to preserve the information within the DNS request/reply.  Specifically, I want to change the aggregation from SigID, SrcIP, and DstIP to SigID, SrcIP and Domain.  What this should do is to stop aggregating DNS events from a single source/destination IP with different domains into a single record.  Due to the sheer number of DNS queries I would prefer to leave aggregation on.

The raw packet does contain the data that I am looking for:

10/7/2016 12:50:31 PM 0EFC PACKET  00000000019CCF10 UDP Rcv 172.18.213.70   2b92   Q [0001   D   NOERROR] A      (4)time(3)com(0)

However, the problem that I am facing is that the parsed DNS record doesn't populate the "Domain" field.

There is a custom type that does contain the properly formatted domain "time.com"

However, the custom types "DNS - Query" or "Web_Domain" do not appear in the list of event fields viable for event aggregation:

Therefore, I think my only option is to solve the problem with the domain field not being populated.  Any suggestions would be appreciated.

Thanks!

1 Solution

Accepted Solutions
yd9038
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Domain Field Blank in Windows DNS Events

Jump to solution

Since Windows DNS (ASP) events are syslog events, you can actually write custom parser or change the field mappings in the parser.

  1. In Policy Editor, go to Advanced Syslog Parser. Find this rule:

          Rule Name: Win_DNS A Query Received

          Signature ID: 1013190

          Device Type ID: 266

      

     2. Go to Field Assignment tab and remove "Web_Domain":

         

     3. Click on + sign and add "Domain" field, and type "1:6" to the Expression field of "Domain":

         

     4. Save As, with a new rule name.

     5. Disable the old rule, and enable the new one for all Windows DNS datasources (you should put them all in one container in Policy Editor).

     6. Roll out policies

    

The domain name will now be parsed to "Domain" field as you wanted, and you can now change the aggregation to SigID, SrcIP and Domain.

3 Replies
yd9038
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Domain Field Blank in Windows DNS Events

Jump to solution

Since Windows DNS (ASP) events are syslog events, you can actually write custom parser or change the field mappings in the parser.

  1. In Policy Editor, go to Advanced Syslog Parser. Find this rule:

          Rule Name: Win_DNS A Query Received

          Signature ID: 1013190

          Device Type ID: 266

      

     2. Go to Field Assignment tab and remove "Web_Domain":

         

     3. Click on + sign and add "Domain" field, and type "1:6" to the Expression field of "Domain":

         

     4. Save As, with a new rule name.

     5. Disable the old rule, and enable the new one for all Windows DNS datasources (you should put them all in one container in Policy Editor).

     6. Roll out policies

    

The domain name will now be parsed to "Domain" field as you wanted, and you can now change the aggregation to SigID, SrcIP and Domain.

Fynix
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Domain Field Blank in Windows DNS Events

Jump to solution

Thanks!  That did the trick.

fwuest
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Domain Field Blank in Windows DNS Events

Jump to solution

I have just searched for the exact same problem.

This answer is known to me, but in my opinion this is NO real solution. This is just a dirty workaround. I'm starting to ask myself why we've bought this SIEM. It comes with tons of preconfigured rules great, but a lot of it have to be changed manually... (= no more updates from McAfee etc.).

In my opinion this should be fixed by the vendor itself, it can't be that I need to change about 50 dns-rules manually and get no updates on these because they are now manual asp rules.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community