Link to home
Create AccountLog in
Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Avatar of Tech Curious
Tech Curious

Log DNS queries and Forward to SIEM

Hi Experts,

 

We need to log DNS queries processed by the Active Directory (DNS servers) and forward to SOC & SIEM. So that SOC can:

 

• Correlate a malware/phishing alert with a DNS request 

• Detect suspicious or known-malicious domains.

 • Make the incident timeline for example user clicked X at 10:02 AM 

• Investigate incidents based on what domains were resolved.

 

The end goal is to allow the SOC to detect suspicious or malware related domain queries based on threat intel.

 

If anyone has suggestions, it would be appreciated.

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

ASKER CERTIFIED SOLUTION
Avatar of Shaun VermaakShaun Vermaak🇦🇺

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of Tech CuriousTech Curious

ASKER

Thanks experts.

 

Could you please share reference guide to configure Event Tracing for Windows (ETW)?

 

What about using Sysmon from Sysinternals?

 

I would appreciate it.

SOLUTION
Avatar of kevinhsiehkevinhsieh🇺🇸

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of Melissa PMelissa P🇺🇸

Honestly, tell your SOC to get Claroty; all you need is a span port and it'll passively monitor the network and once they establish a baseline, it's easy enough to flag abnormal or suspicious activity. It's minimal effort for you, and gives them the ability to do what you mentioned. :) 

Avatar of Tech CuriousTech Curious

ASKER

We installed Sysmon on my Windows AD DNS server and Event ID 22 is working fine when I run DNS lookups locally on the server 


However, when I make DNS queries from a client machine that uses this DNS server, no Event ID 22 is generated.


 

I expected that when the server resolves a request on behalf of a client, Sysmon would log that as well, but it only seems to record queries generated locally.


Any suggestions 

Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of Melissa PMelissa P🇺🇸

I'd highly suggest reading through the below; it's a config file for sysmon, but it's extremely useful as it's heavily commented and explains the details for each section. You may find that this helps you get to the nitty gritty of how best to configure for your needs. 

https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

Active Directory

Active Directory

--

Questions

--

Followers

Top Experts

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.