The SIEM can do it, but I guess I'm missing how to get it in there using the default tools in Windows Server.
On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith <[email protected]> wrote: > Well, if your SIEM can’t parse it, it’s pretty easy to do with > WMI/PowerShell. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 3:16 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Source of DNS queries > > > > Not averse to it, per se. They just get pretty big pretty quickly, and > are temporal because they wrap as well. > > > > Just thinking out loud about how it would be nice to have the relevant > info in a single, non-expiring repository. > > > > On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <[email protected]> > wrote: > > Why are you averse to scanning the logs? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 1:49 PM > *To:* [email protected] > *Subject:* [NTSysADM] Source of DNS queries > > > > I am in the early stages of deploying a SIEM solution and one of the > things that pop up occasionally are alarms for when a DNS query is > conducted and the response contains a known-malicious ip. What I'm trying > to do is figure out which machine queried the DNS server because the alert > just shows that a query response with the malicious ip went back to the DNS > server. > > > > Short of enabling DNS debug logging on my MS DNS servers and picking > through them to find the source of the query, is there another solution > that's more permanent? > > > > I'm thinking that if I had something like a "DNS proxy" that does the kind > of logging I'm looking for, that would be great. Essentially a DNS server > that forwards everything on to the 'regular' servers. > > > > client <--> proxy <--> internal DNS server <--> external DNS servers > > > > Just messing around with ideas. Anyone have a solution to this already in > place? (Preferably one that's affordable for the little guys. :-) > > > > Thanks, > RS > > >
