Well, if your SIEM can’t parse it, it’s pretty easy to do with WMI/PowerShell.
From: [email protected] [mailto:[email protected]] On Behalf Of Richard Stovall Sent: Thursday, January 7, 2016 3:16 PM To: [email protected] Subject: Re: [NTSysADM] Source of DNS queries Not averse to it, per se. They just get pretty big pretty quickly, and are temporal because they wrap as well. Just thinking out loud about how it would be nice to have the relevant info in a single, non-expiring repository. On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: Why are you averse to scanning the logs? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Richard Stovall Sent: Thursday, January 7, 2016 1:49 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Source of DNS queries I am in the early stages of deploying a SIEM solution and one of the things that pop up occasionally are alarms for when a DNS query is conducted and the response contains a known-malicious ip. What I'm trying to do is figure out which machine queried the DNS server because the alert just shows that a query response with the malicious ip went back to the DNS server. Short of enabling DNS debug logging on my MS DNS servers and picking through them to find the source of the query, is there another solution that's more permanent? I'm thinking that if I had something like a "DNS proxy" that does the kind of logging I'm looking for, that would be great. Essentially a DNS server that forwards everything on to the 'regular' servers. client <--> proxy <--> internal DNS server <--> external DNS servers Just messing around with ideas. Anyone have a solution to this already in place? (Preferably one that's affordable for the little guys. :-) Thanks, RS
