Ingest Windows DNS Debug logs using Elasticsearch Filebeat - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Extend Cortex XDR visibility into Windows DNS Debug logs using Elasticsearch Filebeat with an XDR Collectors profile.

Extend Cortex XDR visibility into Windows DNS Debug logs using an XDR Collector Windows Filebeat profile.

Note

Ingesting logs and data requires a Cortex XDR Pro per GB license.

You can enrich network logs with Windows DNS Debug log data when defining data collection in a XDR Collector Windows Filebeat profile. When you add a XDR Collector Windows Filebeat profile using the Elasticsearch Filebeat default configuration file called filebeat.yml, you can define whether the collected data undergoes follow-up processing in the backend for Windows DNS Debug log data. Cortex XDR uses Windows DNS Debug logs to enrich your network logs that are searchable in XQL Search using the Windows DNS Debug Cortex Query Language (XQL) dataset (microsoft_dns_raw) for the raw data and query the normalized stories using the xdr_data dataset with the preset called network_story.XQL Search

Configure Cortex XDR to receive Windows DNS Debug logs using an XDR Collector Windows Filebeat profile.

  1. Enable DNS Debug Logging in your Windows DNS server settings.

    1. Open Windows DNS Manager, right-click your Windows DNS Server, and select Properties.

    2. Select Debug LoggingLog packets for debugging, and leave the different settings that are automatically configured for collecting regular Windows DNS logs in the Packet direction and Packet contents sections.

    3. To collect detailed Windows DNS logs, under the Other options section, select Details.

      Note

      Detailed logs are significantly larger as more information is added to the logs.

    4. In the Log file section, specify the File path and name to your Windows DNS logs, such as c:\Windows\System32\dns\DNS.log, which should be the same one configured in your filebeat.yml file as explained in Ingest Windows DNS Debug logs using Elasticsearch Filebeat.

    5. Click OK.

  2. Add an XDR Collector Profile for Windows.

    Follow the steps for creating a Windows Filebeat profile explained in this section, and configure the filebeat.yml file as explained in the following step.

  3. Configure the filebeat.yml file to collect Windows DNS Debug log data.

    You can enrich network logs with Windows DNS Debug log data when defining data collection by setting the vendor to “microsoft” and product to “dns” in the filebeat.yml file, which you can then query the raw data in the microsoft_dns_raw dataset. Use the xdr_data dataset to query the normalized stories with the preset called network_story.

    Here are examples of how to configure the filebeat.yml file to normalize Windows DNS Debug logs with an XDR Collector, which you can modify according to your system settings. The syntax changes depending on whether you are collecting regular or detailed Windows DNS Debug logs according to your DNS Debug Logging settings as configured in your Ingest Windows DNS Debug logs using Elasticsearch Filebeat. In addition, the path to your Windows DNS Debug logs configured in your filebeat.yml must be the same one configured in your Windows DNS server settings as explained above.

    Note

    To avoid formatting issues in your filebeat.yml, we recommend that you validate the syntax of the YML.

    • Example for collecting regular Windows DNS logs.

      filebeat.inputs:
      - type: filestream
        enabled: true
        paths:
          -  c:\Windows\System32\dns\DNS.log
        processors:
          - add_fields:
              fields: 
                vendor: "microsoft"
                product: "dns"
    • Example for collecting detailed Windows DNS logs.

    filebeat.inputs:
    - type: log
      enabled: true
      paths:
        -  c:\Windows\System32\dns\DNS.log
      multiline.type: pattern
      multiline.pattern: '^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)'
      multiline.negate: true
      multiline.match: after
      processors:
        - add_fields:
            fields: 
              vendor: "microsoft"
              product: "dns"