And, thanks to y'all for helping me talk it out, here's the general direction for what I'm trying to do.
https://www.alienvault.com/forums/discussion/4564/how-to-get-my-dns-logs-into-usm Woot! On Thu, Jan 7, 2016 at 3:55 PM, Richard Stovall <[email protected]> wrote: > The SIEM can do it, but I guess I'm missing how to get it in there using > the default tools in Windows Server. > > On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith <[email protected]> > wrote: > >> Well, if your SIEM can’t parse it, it’s pretty easy to do with >> WMI/PowerShell. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Richard Stovall >> *Sent:* Thursday, January 7, 2016 3:16 PM >> *To:* [email protected] >> *Subject:* Re: [NTSysADM] Source of DNS queries >> >> >> >> Not averse to it, per se. They just get pretty big pretty quickly, and >> are temporal because they wrap as well. >> >> >> >> Just thinking out loud about how it would be nice to have the relevant >> info in a single, non-expiring repository. >> >> >> >> On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <[email protected]> >> wrote: >> >> Why are you averse to scanning the logs? >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Richard Stovall >> *Sent:* Thursday, January 7, 2016 1:49 PM >> *To:* [email protected] >> *Subject:* [NTSysADM] Source of DNS queries >> >> >> >> I am in the early stages of deploying a SIEM solution and one of the >> things that pop up occasionally are alarms for when a DNS query is >> conducted and the response contains a known-malicious ip. What I'm trying >> to do is figure out which machine queried the DNS server because the alert >> just shows that a query response with the malicious ip went back to the DNS >> server. >> >> >> >> Short of enabling DNS debug logging on my MS DNS servers and picking >> through them to find the source of the query, is there another solution >> that's more permanent? >> >> >> >> I'm thinking that if I had something like a "DNS proxy" that does the >> kind of logging I'm looking for, that would be great. Essentially a DNS >> server that forwards everything on to the 'regular' servers. >> >> >> >> client <--> proxy <--> internal DNS server <--> external DNS servers >> >> >> >> Just messing around with ideas. Anyone have a solution to this already >> in place? (Preferably one that's affordable for the little guys. :-) >> >> >> >> Thanks, >> RS >> >> >> > >
