Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Sysmon DNS (event ID 22) to module #12960

Merged
merged 6 commits into from Jul 30, 2019
Merged

Add Sysmon DNS (event ID 22) to module #12960

merged 6 commits into from Jul 30, 2019

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 18, 2019
edited

Add support for Sysmon event ID 22 (DNS Query) added in Sysmon v10. The mapping is

  • winlog.event_data.QueryName -> dns.question.name
  • winlog.event_data.QueryStatus -> sysmon.dns.status
    • This value is 100% specific to Windows because it's a Windows error code. It might be based on the response code, but it's not exactly the same.
  • winlog.event_data.QueryResults -> dns.answers.data, dns.answers.type
  • winlog.event_data.QueryResults -> dns.grouped.ip

Sample:

{
    "@timestamp": "2019-07-18T03:34:01.239Z",
    "dns": {
      "answers": [
        {
          "data": "go.microsoft.com.edgekey.net",
          "type": "CNAME"
        },
        {
          "data": "e11290.dspg.akamaiedge.net",
          "type": "CNAME"
        },
        {
          "data": "23.223.14.67",
          "type": "A"
        }
      ],
      "answers_count": 3,
      "grouped": {
        "ip": [
          "23.223.14.67"
        ]
      },
      "question": {
        "length": 16,
        "name": "go.microsoft.com"
      }
    },
    "event": {
      "code": 22,
      "kind": "event"
    },
    "log": {
      "level": "information"
    },
    "process": {
      "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}",
      "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
      "name": "iexplore.exe",
      "pid": 356
    },
    "sysmon": {
      "dns": {
        "status": "SUCCESS"
      }
    }
    "winlog": ...
}

@andrewkroh andrewkroh changed the title Update module for Sysmon 10 Update module for Sysmon 10 (DNS Query) Jul 18, 2019
@andrewkroh andrewkroh force-pushed the feature/wlb/sysmon-dns-event-id-22 branch 2 times, most recently from fee533f to e7d7c96 Compare July 18, 2019 15:57
@andrewkroh andrewkroh changed the title Update module for Sysmon 10 (DNS Query) Update sysmon and security modules Jul 18, 2019
@andrewkroh andrewkroh force-pushed the feature/wlb/sysmon-dns-event-id-22 branch from e7d7c96 to f845320 Compare July 18, 2019 15:58
@andrewkroh andrewkroh marked this pull request as ready for review July 18, 2019 16:00
@andrewkroh andrewkroh requested a review from a team as a code owner July 18, 2019 16:00
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@webmat webmat mentioned this pull request Jul 23, 2019
Merged
@andrewkroh andrewkroh force-pushed the feature/wlb/sysmon-dns-event-id-22 branch 2 times, most recently from bebe0c5 to 1703388 Compare July 23, 2019 22:16
@andrewkroh andrewkroh changed the title Update sysmon and security modules Add Sysmon DNS (event ID 22) to module Jul 23, 2019
adriansr
adriansr approved these changes Jul 24, 2019
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh
Add Sysmon DNS (event ID 22) to module
6746245 
Add support for Sysmon event ID 22 (DNS Query) added in Sysmon v10. The mapping is
  - `winlog.event_data.QueryName` -> `dns.question.name`
  - `winlog.event_data.QueryStatus` -> `sysmon.dns.status`
    - This value is 100% specific to Windows because it's a Windows error code. It might be based on the response code, but it's not exactly the same.
  - `winlog.event_data.QueryResults` -> `dns.answers.data`, `dns.answers.type`
  - `winlog.event_data.QueryResults` -> `dns.grouped.ip`
@andrewkroh
Remove extra newline
1f0da17
@andrewkroh
Add answer_count and question.length
08c26aa
@andrewkroh
Remove dns.question.length
4992479 
It might be removed based on the current ECS proposal.
@andrewkroh andrewkroh force-pushed the feature/wlb/sysmon-dns-event-id-22 branch from 2440e8f to 4992479 Compare July 30, 2019 18:17
@andrewkroh andrewkroh merged commit 182cb96 into elastic:master Jul 30, 2019
@andrewkroh andrewkroh mentioned this pull request Aug 22, 2019
Closed
6 tasks
@nicpenning
Copy link
Contributor

nicpenning commented Jan 20, 2020
edited

Hello,

I didn't get any bites on my post in the discuss forums so I will try posting here since I believe it relates. If it does not, please disregard.

Essentially, the DNS Answers type and data (when not an IP address), is not stored in the document. Being able to search/aggregate on Types and Data (include CNAMEs like in the example below) would be very beneficial for security analytics.

https://discuss.elastic.co/t/sysmon-dns-logs-dns-answers-types/213471

I will also add this SysMon DNS query related post as well:

https://discuss.elastic.co/t/sysmon-dns-query-missing-status-codes/213396

This appears to be a status code that is not including in this initial module. If it has since been added this can be ignored. There are probably another 5+ other status codes that are not getting enhanced with the module but I will save those for when I know how you would like to proceed with this one.

Thank you for all the work that your team does there at Elastic!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat left review comments

@houndci-bot houndci-bot houndci-bot left review comments

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement module review Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@andrewkroh @elasticmachine @nicpenning @webmat @houndci-bot @adriansr