Skip to main content

Microsoft DNS

Download With Dependencies

The Microsoft Domain Name Server (DNS) produces audit logs that identify resources from your company that are connected to the internet or your private network, and translate domain names to IP addresses.

Microsoft DNS

This pack includes XSIAM content.

Configuration on Server Side

  1. Open the RUN window and enter: dnsmgmt.msc

  2. Right-click the name of the DNS server in the left-hand panel and select Properties.

  3. In the Debug logging tab, add a check in Log packets for debugging

  4. Ensure the following are checked: Outgoing, Incoming, Queries/Transfers, Updates.

  5. For long (detailed) logs, select Details and enter the log file path: c:\Windows\System32\dns\DNS.log

    Note: Detailed captures will heavily bloat the logs.

Filebeat Collection

For the Filebeat collector, use the following option to collect events from the vendor:

You will need to configure the vendor and product for this specific collector.

XDRC (XDR Collector)

Use the information described here.

You can configure the vendor and product by replacing [vendor]_[product]_raw with microsoft_dns_raw.

When configuring the instance, you should use a yml file that configures the vendor and product, as shown in the below configuration for the Microsoft DNS product.

For XSIAM version 1.2 only, copy and paste the below in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Filebeat Configuration File

filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    -  c:\Windows\System32\dns\DNS.log
  processors:
    - add_fields:
        fields: 
          vendor: "microsoft"
          product: "dns"

Note: The above configuration uses the default location of the logs.

For XSIAM version 1.3 and above, please use the built-in YAML template provided within the XDR collector configuration.

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedAugust 22, 2022
Last ReleaseJanuary 24, 2023

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.