Microsoft DNS
This pack includes XSIAM content.
Configuration on Server Side for Filebeat
Open the RUN window and enter: dnsmgmt.msc
Right-click the name of the DNS server in the left-hand panel and select Properties.
In the Debug logging tab, add a check in Log packets for debugging
Ensure the following are checked: Outgoing, Incoming, Queries/Transfers, Updates.
For long (detailed) logs, select Details and enter the log file path:
c:\Windows\System32\dns\DNS.log
Note: Detailed captures will heavily bloat the logs.
Filebeat Collection
For the Filebeat collector, use the following option to collect events from the vendor:
You will need to configure the vendor and product for this specific collector.
XDRC (XDR Collector)
Use the information described here.
You can configure the vendor and product by replacing [vendor]_[product]_raw with microsoft_dns_raw.
When configuring the instance, you should use a yml file that configures the vendor and product, as shown in the below configuration for the Microsoft DNS product.
Pay Attention:
When using this pack there are two integrations available for it.
As enrichment, forwarding DNS Audit logs is supported via Winlogbeat
Via Filebeat for DNS Debug logs.
Via Winlogbeat for DNS Audit logs.
Follow these steps in order to configure the XDR Collector:
- The implementation of the Collector for both of the methods requires to create a Profile for each integration.
- For XSIAM version 1.2 only, in the relevant profile under the XDR Collectors Profiles, copy and paste the information from the Filebeat Configuration File section.
- Create a Policy and allocate the profiles you created to it.
Filebeat Configuration File
filebeat.inputs:
- type: filestream
enabled: true
paths:
- c:\Windows\System32\dns\DNS.log
processors:
- add_fields:
fields:
vendor: "microsoft"
product: "dns"
Note: The above configuration uses the default location of the logs.
Winlogbeat Configuration File
winlogbeat.event_logs:
- name: Microsoft-Windows-DNSServer/Audit
processors:
- add_fields:
fields:
vendor: microsoft
product: dns
id: dns-audit-logs
For XSIAM version 1.3 and above, use the built-in YAML template provided within the XDR collector configuration.