[microsoft_dnsserver] Initial release of Microsoft DNS Server integration #9722
Conversation
chemamartinez
added
enhancement
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
|
packages/microsoft_dnsserver/data_stream/analytical/agent/stream/etw.yml.hbs
Show resolved
Hide resolved
| - set: | ||
| field: event.category | ||
| value: [configuration] | ||
| if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" |
There was a problem hiding this comment.
| if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" | |
| if: ctx.winlog?.task == "Configuration" |
You can possibly combine both conditions
There was a problem hiding this comment.
if: ctx.winlog?.task == "Configuration"
This condition covers the possibility that ctx.winlog exists but ctx.winlog.task is not present? If so, I will update the whole pipeline. Just asking because I see many integrations having both checks.
There was a problem hiding this comment.
You can combine these; ctx.winlog?.task resolves to null if ctx.winlog or ctx.winlog.task are null/absent, and null does not equal "Configuration", so the check is valid.
|
|
||
| DNS analytical events are not enabled by default. To enable it, you can follow the [guide to enable DNS diagnostics logging](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#to-enable-dns-diagnostic-logging) of Microsoft's documentation. | ||
|
|
||
| **Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging), typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. |
There was a problem hiding this comment.
| **Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging), typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. | |
| **Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging) of the docs, typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. |
(this is a new para, so the documentation needs a reference to bring it into scope for the reader)
|
|
||
| This integration provides a native filtering mechanism called `Match All Keyword`. This filter uses a 64-bit bitmask to specify which events to capture based on their defined keywords. Each keyword corresponds to a specific type of event detailed in the DNS Server provider's manifest. | ||
|
|
||
| To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of how it looks like: |
There was a problem hiding this comment.
| To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of how it looks like: | |
| To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of the output: |
| The command completed successfully. | ||
| ``` | ||
|
|
||
| The output lists various event types with corresponding keywords, allowing you to select which events to monitor. For example, if you want to track recursive queries, you would look for keywords like `RECURSE_QUERY_OUT`, `RECURSE_RESPONSE_IN`, and `RECURSE_QUERY_DROP`. To set up filtering for these specific events, you would calculate the sum of their bitmask values. The result for this particular case would be `0x8000000000000070` (notice that it includes `0x8000000000000000` to match Analytical events as well). |
There was a problem hiding this comment.
Is this something that would be worth adding as a user-friendly configuration where they can add a list of the keywords and the pipeline calculates the bitmask? or is the set of keywords a moving feast?
There was a problem hiding this comment.
These keywords vary depending on the version of Windows, so we would have to create different translations accordingly. In addition, a more user-friendly form of filtering is planned for future iterations: elastic/beats#38105
| }, | ||
| "response_code": "NoError" | ||
| }, | ||
| "dnsserver": { |
There was a problem hiding this comment.
Should this be microsoft_dnsserver to match the integration path name? That's the usual convention to avoid collisions, but it does become long.
| - set: | ||
| field: event.outcome | ||
| value: failure | ||
| if: ctx.dns?.response_code != null && ctx.dns.response_code != "NoError" |
| if: ctx.source?.ip != null && ctx.source.ip != '' | ||
| tag: set_network_direction_ingress | ||
|
|
||
| # InterfaceIP |
There was a problem hiding this comment.
Are these two IP fields worth getting geoip data for?
There was a problem hiding this comment.
The reasons why I didn't add geoip for these IPs are:
- These are usually static IPs for the life of the integration in a particular environment, as they represent the IP configured by the DNS Server to receive queries and forward data. In contrast to source and destination IPs, which represent where traffic is coming from and where it is going to.
- For the same reason, the traffic map in the dashboard doesn't include these IPs.
- They are much less frequent in the logs than the others.
Nevertheless, if you consider it worth it, I can add it.
| title: Match All Keyword | ||
| description: >- | ||
| This 8-byte bitmask filters events that match all specified keyword bits. Default value is 0 to let every event pass. Run `logman query providers "<provider.name>"` to list the available keywords for a specific provider. | ||
| default: "0x0000000000000000" |
There was a problem hiding this comment.
Just confirming that this syntax is required because the config struct field is a uint type. Is that correct?
There was a problem hiding this comment.
Yes, that's correct.
| - set: | ||
| field: event.category | ||
| value: [configuration] | ||
| if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" |
There was a problem hiding this comment.
You can combine these; ctx.winlog?.task resolves to null if ctx.winlog or ctx.winlog.task are null/absent, and null does not equal "Configuration", so the check is valid.
packages/microsoft_dnsserver/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Proposed commit message
Add a new package to collect audit and analytical events for Microsoft DNS Server.
Checklist
changelog.ymlfile.Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
sample_event.json) existsNote: Pending on elastic/elastic-package#1527 to add system tests and sample events.
Related issues
Screenshots
Integration page
Configuration
Analytical dashboard
Audit dashboard