-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Windows] DNS Analytical and Audit event support #6586
Comments
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
not sure how useful this is but linking here a previous attempt at etwbeat (collecting event tracing) https://github.com/narph/etwbeat based on docs https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing. In this case the provider is specified so this could simplify the implementation. |
This would be an interesting approach for DNS logging. I would be interested to see this come to light. For the DNS field set, they do exist unless you are referring to something else? https://www.elastic.co/guide/en/ecs/current/ecs-dns.html Today security teams can use Sysmon (or other EDRs) to monitor DNS at the client level but this sounds like a server level monitor that is much more detailed. |
Thanks for chiming in @nicpenning. I've adjusted the point on the DNS fieldset. |
Since the recent addition of the ETW input, DNS Server Audit logs can be collected by ETW and also Winlog input (through Windows Eventlog channel). I would like to remark the differences using both inputs in order to determine which input use for this integration:
Eventlog "winlog": {
"computer_name": "EC2AMAZ-253CQ8C",
"process": {
"pid": 852,
"thread": {
"id": 1328
}
},
"keywords": [
"AUDIT_REC_ADMIN"
],
"channel": "Microsoft-Windows-DNSServer/Audit",
"event_data": {
"ZoneScope": "Default",
"BufferSize": "16",
"Type": "28",
"VirtualizationID": ".",
"Zone": "..Cache",
"TTL": "0",
"RDATA": "20010503BA3E00000000000000020030",
"NAME": "A.ROOT-SERVERS.NET."
},
"opcode": "Info",
"record_id": 8,
"task": "ZONE_OP",
"event_id": "515",
"provider_guid": "{eb79061a-a566-4698-9119-3ed2807060e7}",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-DNSServer",
"user": {
"identifier": "S-1-5-21-2397692938-4146434421-2570431792-500",
"domain": "EC2AMAZ-253CQ8C",
"name": "Administrator",
"type": "User"
}
},
"message": "A resource record of type 28, name A.ROOT-SERVERS.NET., TTL 0 and RDATA 0x20010503BA3E00000000000000020030 was created in scope Default of zone ..Cache. [virtualization instance: .].", ETW "winlog": {
"process_id": "852",
"thread_id": "6140",
"task": "5",
"keywords": "4611686018428436480",
"provider_guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"session": "Elastic-DNSServer-Audit",
"channel": "17",
"flags": "576",
"event_data": {
"ZoneScope": "Default",
"BufferSize": "22",
"Type": "2",
"VirtualizationID": ".",
"Zone": "..Cache",
"TTL": "0",
"RDATA": "0x14422E524F4F542D534552564552532E4E45542E0000",
"NAME": "@"
},
"opcode": "0",
"version": 0,
"activity_guid": "{00000000-0000-0000-0000-000000000000}"
}, Focused on the event data (the rest of the event is similar for both inputs), we can see that we obtain better results from Eventlog. In particular, some fields are translated from the numerical code to its human-readable format (
|
Does the Winlog apply to Filebeat as the source via Custom Windows Event logs as well? |
Thanks for continuing to work through this one @chemamartinez. Given that the Windows DNS events can be split across Analytical and Audit events, I think it makes sense to have a single 'Windows DNS' package which covers both. Two data streams will be needed, one for Analytical (ETW input) and one for Audit events (using winlog). Users can then easily onboard, map, parse and visualise their DNS data via a single package. |
Description
Attackers are using DNS for data theft, denial-of-service, and other malicious activity. Proactive monitoring of DNS activity can help network administrators quickly detect and respond to these threats. The Domain Name System (DNS) provides a hierarchy of names for computers and services on the Internet or other networks. Its most noteworthy function is the translation of domain names such as example.com into IP addresses. DNS is required for the Internet to function, operates on a global scale, and is massively distributed.
Common types of DNS attacks include DNS hijacking, DNS tunnelling, Various denial-of-service (DoS) attacks and DNS cache poisoning.
By proactively monitoring DNS audit logs and query traffic, IT personnel can more quickly identify and respond to a DNS attack, reducing its impact.
Source: https://nxlog.co/whitepapers/dns-logging/
Architecture
Windows DNS Analytical logging is the most common event source that administrators and security analysts require visibility into. The analytical logs provide insight ito every DNS transaction that takes place internally and externally on a network. The logs rely on Event Tracing for WIndows (ETW) and are exposed via the Microsoft-Windows-DNSServer. For a deep dive on the architecture, see here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
To provide full coverage of DNS events, we should also support DNS audit logs, which are written to Microsoft-Windows-DNS-Server/Audit event log, and doesn't rely on event tracing.
Questions
Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
sample_event.json
) existsThe text was updated successfully, but these errors were encountered: