Microsoft DNS
This pack includes XSIAM content.
Configuration on Server Side
Open the RUN window and enter: dnsmgmt.msc
Right-click the name of the DNS server in the left-hand panel and select Properties.
In the Debug logging tab, add a check in Log packets for debugging
Ensure the following are checked: Outgoing, Incoming, Queries/Transfers, Updates.
For long (detailed) logs, select Details and enter the log file path:
c:\Windows\System32\dns\DNS.logNote: Detailed captures will heavily bloat the logs.
Filebeat Collection
For the Filebeat collector, use the following option to collect events from the vendor:
You will need to configure the vendor and product for this specific collector.
XDRC (XDR Collector)
Use the information described here.
You can configure the vendor and product by replacing [vendor]_[product]_raw with microsoft_dns_raw.
When configuring the instance, you should use a yml file that configures the vendor and product, as shown in the below configuration for the Microsoft DNS product.
For XSIAM version 1.2 only, copy and paste the below in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).
Filebeat Configuration File
filebeat.inputs:
- type: filestream
enabled: true
paths:
- c:\Windows\System32\dns\DNS.log
processors:
- add_fields:
fields:
vendor: "microsoft"
product: "dns"Note: The above configuration uses the default location of the logs.
For XSIAM version 1.3 and above, please use the built-in YAML template provided within the XDR collector configuration.