New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[microsoft_dnsserver] Initial release of Microsoft DNS Server integration #9722
base: main
Are you sure you want to change the base?
Conversation
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
Quality Gate passedIssues Measures |
packages/microsoft_dnsserver/data_stream/analytical/agent/stream/etw.yml.hbs
Show resolved
Hide resolved
- set: | ||
field: event.category | ||
value: [configuration] | ||
if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" | |
if: ctx.winlog?.task == "Configuration" |
You can possibly combine both conditions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if: ctx.winlog?.task == "Configuration"
This condition covers the possibility that ctx.winlog
exists but ctx.winlog.task
is not present? If so, I will update the whole pipeline. Just asking because I see many integrations having both checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can combine these; ctx.winlog?.task
resolves to null
if ctx.winlog
or ctx.winlog.task
are null
/absent, and null
does not equal "Configuration", so the check is valid.
|
||
DNS analytical events are not enabled by default. To enable it, you can follow the [guide to enable DNS diagnostics logging](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#to-enable-dns-diagnostic-logging) of Microsoft's documentation. | ||
|
||
**Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging), typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging), typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. | |
**Note:** DNS logging and diagnostics feature in Windows is designed to have a very low impact on performance. However, according to the [Audit and analytic event logging section](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#audit-and-analytic-event-logging) of the docs, typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. |
(this is a new para, so the documentation needs a reference to bring it into scope for the reader)
|
||
This integration provides a native filtering mechanism called `Match All Keyword`. This filter uses a 64-bit bitmask to specify which events to capture based on their defined keywords. Each keyword corresponds to a specific type of event detailed in the DNS Server provider's manifest. | ||
|
||
To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of how it looks like: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of how it looks like: | |
To view these keywords and understand what types of events can be traced, you can run the following command in a command prompt: `logman query providers "Microsoft-Windows-DNSServer"`. Here is an example of the output: |
The command completed successfully. | ||
``` | ||
|
||
The output lists various event types with corresponding keywords, allowing you to select which events to monitor. For example, if you want to track recursive queries, you would look for keywords like `RECURSE_QUERY_OUT`, `RECURSE_RESPONSE_IN`, and `RECURSE_QUERY_DROP`. To set up filtering for these specific events, you would calculate the sum of their bitmask values. The result for this particular case would be `0x8000000000000070` (notice that it includes `0x8000000000000000` to match Analytical events as well). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this something that would be worth adding as a user-friendly configuration where they can add a list of the keywords and the pipeline calculates the bitmask? or is the set of keywords a moving feast?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These keywords vary depending on the version of Windows, so we would have to create different translations accordingly. In addition, a more user-friendly form of filtering is planned for future iterations: elastic/beats#38105
}, | ||
"response_code": "NoError" | ||
}, | ||
"dnsserver": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be microsoft_dnsserver
to match the integration path name? That's the usual convention to avoid collisions, but it does become long.
- set: | ||
field: event.outcome | ||
value: failure | ||
if: ctx.dns?.response_code != null && ctx.dns.response_code != "NoError" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This must remain though.
if: ctx.source?.ip != null && ctx.source.ip != '' | ||
tag: set_network_direction_ingress | ||
|
||
# InterfaceIP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these two IP fields worth getting geoip data for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reasons why I didn't add geoip for these IPs are:
- These are usually static IPs for the life of the integration in a particular environment, as they represent the IP configured by the DNS Server to receive queries and forward data. In contrast to source and destination IPs, which represent where traffic is coming from and where it is going to.
- For the same reason, the traffic map in the dashboard doesn't include these IPs.
- They are much less frequent in the logs than the others.
Nevertheless, if you consider it worth it, I can add it.
title: Match All Keyword | ||
description: >- | ||
This 8-byte bitmask filters events that match all specified keyword bits. Default value is 0 to let every event pass. Run `logman query providers "<provider.name>"` to list the available keywords for a specific provider. | ||
default: "0x0000000000000000" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just confirming that this syntax is required because the config struct field is a uint type. Is that correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's correct.
- set: | ||
field: event.category | ||
value: [configuration] | ||
if: ctx.winlog?.task != null && ctx.winlog.task == "Configuration" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can combine these; ctx.winlog?.task
resolves to null
if ctx.winlog
or ctx.winlog.task
are null
/absent, and null
does not equal "Configuration", so the check is valid.
Proposed commit message
Add a new package to collect audit and analytical events for Microsoft DNS Server.
Checklist
changelog.yml
file.Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
sample_event.json
) existsNote: Pending on elastic/elastic-package#1527 to add system tests and sample events.
Related issues
Screenshots
Integration page
Configuration
Analytical dashboard
Audit dashboard