Extend Cortex XDR visibility into Windows DNS Debug logs using Elasticsearch Filebeat with an XDR Collectors profile.
Extend Cortex XDR visibility into Windows DNS Debug logs using an XDR Collector Windows Filebeat profile.
Note
Ingesting logs and data requires a Cortex XDR Pro per GB license.
You can enrich network logs with Windows DNS Debug log data when defining data collection in a XDR Collector Windows Filebeat profile. When you add a XDR Collector Windows Filebeat profile using the Elasticsearch Filebeat default configuration file called filebeat.yml
, you can define whether the collected data undergoes follow-up processing in the backend for Windows DNS Debug log data. Cortex XDR uses Windows DNS Debug logs to enrich your network logs that are searchable in XQL Search using the Windows DNS Debug Cortex Query Language (XQL) dataset (microsoft_dns_raw
) for the raw data and query the normalized stories using the xdr_data
dataset with the preset called network_story
.
Configure Cortex XDR to receive Windows DNS Debug logs using an XDR Collector Windows Filebeat profile.
Enable DNS Debug Logging in your Windows DNS server settings.
Open Windows DNS Manager, right-click your Windows DNS Server, and select Properties.
Select Packet direction and Packet contents sections.
→ , and leave the different settings that are automatically configured for collecting regular Windows DNS logs in theTo collect detailed Windows DNS logs, under the Other options section, select Details.
Note
Detailed logs are significantly larger as more information is added to the logs.
In the Log file section, specify the File path and name to your Windows DNS logs, such as
c:\Windows\System32\dns\DNS.log
, which should be the same one configured in yourfilebeat.yml
file as explained in Ingest Windows DNS Debug logs using Elasticsearch Filebeat.Click OK.
Add an XDR Collector Profile for Windows.
Follow the steps for creating a Windows Filebeat profile explained in this section, and configure the
filebeat.yml
file as explained in the following step.Configure the
filebeat.yml
file to collect Windows DNS Debug log data.You can enrich network logs with Windows DNS Debug log data when defining data collection by setting the
vendor
to“microsoft”
andproduct
to“dns”
in thefilebeat.yml
file, which you can then query the raw data in themicrosoft_dns_raw
dataset. Use thexdr_data
dataset to query the normalized stories with the preset callednetwork_story
.Here are examples of how to configure the
filebeat.yml
file to normalize Windows DNS Debug logs with an XDR Collector, which you can modify according to your system settings. The syntax changes depending on whether you are collecting regular or detailed Windows DNS Debug logs according to your DNS Debug Logging settings as configured in your Ingest Windows DNS Debug logs using Elasticsearch Filebeat. In addition, the path to your Windows DNS Debug logs configured in yourfilebeat.yml
must be the same one configured in your Windows DNS server settings as explained above.Note
To avoid formatting issues in your
filebeat.yml
, we recommend that you validate the syntax of the YML.Example for collecting regular Windows DNS logs.
filebeat.inputs: - type: filestream enabled: true paths: - c:\Windows\System32\dns\DNS.log processors: - add_fields: fields: vendor: "microsoft" product: "dns"
Example for collecting detailed Windows DNS logs.
filebeat.inputs: - type: log enabled: true paths: - c:\Windows\System32\dns\DNS.log multiline.type: pattern multiline.pattern: '^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)' multiline.negate: true multiline.match: after processors: - add_fields: fields: vendor: "microsoft" product: "dns"