Since Windows DNS (ASP) events are syslog events, you can actually write custom parser or change the field mappings in the parser.
- In Policy Editor, go to Advanced Syslog Parser. Find this rule:
Rule Name: Win_DNS A Query Received
Signature ID: 1013190
Device Type ID: 266
2. Go to Field Assignment tab and remove "Web_Domain":
3. Click on + sign and add "Domain" field, and type "1:6" to the Expression field of "Domain":
4. Save As, with a new rule name.
5. Disable the old rule, and enable the new one for all Windows DNS datasources (you should put them all in one container in Policy Editor).
6. Roll out policies
The domain name will now be parsed to "Domain" field as you wanted, and you can now change the aggregation to SigID, SrcIP and Domain.
Thanks! That did the trick.
I have just searched for the exact same problem.
This answer is known to me, but in my opinion this is NO real solution. This is just a dirty workaround. I'm starting to ask myself why we've bought this SIEM. It comes with tons of preconfigured rules great, but a lot of it have to be changed manually... (= no more updates from McAfee etc.).
In my opinion this should be fixed by the vendor itself, it can't be that I need to change about 50 dns-rules manually and get no updates on these because they are now manual asp rules.