3 Replies Latest reply on May 11, 2017 6:57 AM by fwuest

    Domain Field Blank in Windows DNS Events

    rsundsten

      Hello,

       

      My organization has several DNS servers setup as data sources feeding events into ESM.  I am wanting to modify the default aggregation settings for the DNS events generated In order to preserve the information within the DNS request/reply.  Specifically, I want to change the aggregation from SigID, SrcIP, and DstIP to SigID, SrcIP and Domain.  What this should do is to stop aggregating DNS events from a single source/destination IP with different domains into a single record.  Due to the sheer number of DNS queries I would prefer to leave aggregation on.

       

      The raw packet does contain the data that I am looking for:

      10/7/2016 12:50:31 PM 0EFC PACKET  00000000019CCF10 UDP Rcv 172.18.213.70   2b92   Q [0001   D   NOERROR] A      (4)time(3)com(0)

       

      However, the problem that I am facing is that the parsed DNS record doesn't populate the "Domain" field.

       

      There is a custom type that does contain the properly formatted domain "time.com"

      However, the custom types "DNS - Query" or "Web_Domain" do not appear in the list of event fields viable for event aggregation:

      Therefore, I think my only option is to solve the problem with the domain field not being populated.  Any suggestions would be appreciated.

       

      Thanks!

        • 1. Re: Domain Field Blank in Windows DNS Events
          yd9038

          Since Windows DNS (ASP) events are syslog events, you can actually write custom parser or change the field mappings in the parser.

           

          1. In Policy Editor, go to Advanced Syslog Parser. Find this rule:

           

                    Rule Name: Win_DNS A Query Received

                    Signature ID: 1013190

                    Device Type ID: 266

                

           

               2. Go to Field Assignment tab and remove "Web_Domain":

                   

           

               3. Click on + sign and add "Domain" field, and type "1:6" to the Expression field of "Domain":

                   

               4. Save As, with a new rule name.

               5. Disable the old rule, and enable the new one for all Windows DNS datasources (you should put them all in one container in Policy Editor).

               6. Roll out policies

              

          The domain name will now be parsed to "Domain" field as you wanted, and you can now change the aggregation to SigID, SrcIP and Domain.

          • 2. Re: Domain Field Blank in Windows DNS Events
            rsundsten

            Thanks!  That did the trick.

            • 3. Re: Domain Field Blank in Windows DNS Events
              fwuest

              I have just searched for the exact same problem.

              This answer is known to me, but in my opinion this is NO real solution. This is just a dirty workaround. I'm starting to ask myself why we've bought this SIEM. It comes with tons of preconfigured rules great, but a lot of it have to be changed manually... (= no more updates from McAfee etc.).

               

              In my opinion this should be fixed by the vendor itself, it can't be that I need to change about 50 dns-rules manually and get no updates on these because they are now manual asp rules.