Logs dns queries on DNS servers. This is handy for identifying the true source system that is initiating malicious dns requests that you observed. Note that this can be resource intensive for the CPU on busy DNS servers - from 5% to 70% CPU load of one core, but memory consumption is very low. This is still a lot less then enabling DNS debug logging.
name: Windows.ETW.DNSQueriesServer
type: CLIENT_EVENT
description: |
Logs dns queries on DNS servers. This is handy for identifying the true source system that is initiating malicious dns requests that you observed. Note that this can be resource intensive for the CPU on busy DNS servers - from 5% to 70% CPU load of one core, but memory consumption is very low. This is still a lot less then enabling DNS debug logging.
author: "Jos Clephas - jos-ir"
parameters:
- name: QueryNameRegex
default: .
type: regex
- name: SourceIPRegex
default: .
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT System.TimeStamp as TimeStamp,
System.ID as ID,
EventData.BufferSize as BufferSize,
EventData.Flags as Flags,
EventData.InterfaceIP as InterfaceIP,
EventData.Port as Port,
EventData.QNAME as QNAME,
EventData.QTYPE as QTYPE,
EventData.RD as RD,
EventData.Source as Source,
EventData.TCP as TCP,
EventData.XID as XID
FROM watch_etw(
description="EventLog-Microsoft-Windows-DNSServer-Analytical",
guid="{EB79061A-A566-4698-9119-3ED2807060E7}")
WHERE EventData AND
QNAME =~ QueryNameRegex AND
Source =~ SourceIPRegex