Logs DNS queries on DNS servers.
This is useful for identifying the true source system that is initiating malicious DNS requests that you may have observed.
Note that this can be resource intensive for the CPU on busy DNS servers - from 5% to 70% CPU load of one core, but memory consumption is very low. This is still a lot less than enabling DNS debug logging.
name: Windows.ETW.DNSQueriesServer
type: CLIENT_EVENT
description: |
Logs DNS queries on DNS servers.
This is useful for identifying the true source system that is initiating
malicious DNS requests that you may have observed.
Note that this can be resource intensive for the CPU on busy DNS servers -
from 5% to 70% CPU load of one core, but memory consumption is very low. This
is still a lot less than enabling DNS debug logging.
author: "Jos Clephas - jos-ir"
parameters:
- name: QueryNameRegex
default: .
type: regex
- name: SourceIPRegex
default: .
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT System.TimeStamp as TimeStamp,
System.ID as ID,
EventData.BufferSize as BufferSize,
EventData.Flags as Flags,
EventData.InterfaceIP as InterfaceIP,
EventData.Port as Port,
EventData.QNAME as QNAME,
EventData.QTYPE as QTYPE,
EventData.RD as RD,
EventData.Source as Source,
EventData.TCP as TCP,
EventData.XID as XID
FROM watch_etw(
description="EventLog-Microsoft-Windows-DNSServer-Analytical",
guid="{EB79061A-A566-4698-9119-3ED2807060E7}")
WHERE EventData AND
QNAME =~ QueryNameRegex AND
Source =~ SourceIPRegex