Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ASIM: NXLog ASIM DNS PARSER UPDATES] #8516

Merged
merged 8 commits into from
Sep 13, 2023
Merged

[ASIM: NXLog ASIM DNS PARSER UPDATES] #8516

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
cd1e587
[ASIM: NXLog ASIM DNS PARSER UPDATES]
jszigetvari Jul 10, 2023
857f155
Parsers/ASimDns/Parsers/: updated NXLog ASIM DNS parsers
jszigetvari Jul 28, 2023
77d399a
Parsers/ASimDns/Parsers/*: addressing review findings
jszigetvari Jul 28, 2023
1b01c19
Parsers/ASimDns/Parsers/*: addressing further review findings
jszigetvari Aug 25, 2023
64d3b6e
Parsers/ASimDns/Parsers/*: addressing latest review findings 2023-09-04
jszigetvari Sep 4, 2023
d798b63
*: syncing up changes with master
jszigetvari Sep 4, 2023
da8b1f8
Parsers/ASimDns/Parsers/*: addressing latest review findings 2023-09-06
jszigetvari Sep 6, 2023
1d4ad72
Parsers/ASimDns/Parsers/*: addressing latest review findings 2023-09-12
jszigetvari Sep 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 63 additions & 8 deletions Parsers/ASimDns/Parsers/ASimDnsMicrosoftNXlog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Parser:
vakohl marked this conversation as resolved.
Show resolved Hide resolved
Title: DNS activity ASIM parser for Microsoft DNS logs collected using NXlog
Version: '0.4'
LastUpdated: Dec 11 2022
Version: '0.5'
vakohl marked this conversation as resolved.
Show resolved Hide resolved
LastUpdated: Jul 10 2023
Product:
Name: MS DNS Events
Normalization:
Schema: Dns
Version: '0.1.3'
Version: '0.1.7'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/ASimDnsDoc
vakohl marked this conversation as resolved.
Show resolved Hide resolved
Expand Down Expand Up @@ -159,8 +159,62 @@ ParserQuery: |
, 29,'LOC'
, 30,'NXT'
, 31,'EID'
, 32,'NIMLOC'
, 32,'NB'
, 33,'SRV'
, 34,'ATMA'
, 35,'NAPTR'
, 36,'KX'
, 37,'CERT'
, 38,'A6'
, 39,'DNAME'
, 40,'SINK'
, 41,'OP'
, 42,'APL'
, 43,'DS'
, 44,'SSHFP'
, 45,'IPSECKEY'
, 46,'RRSIG'
, 47,'NSEC'
, 48,'DNSKEY'
, 49,'DHCID'
, 50,'NSEC3'
, 51,'NSEC3PARAM'
, 52,'TLSA'
, 53,'SMIMEA'
, 55,'HIP'
, 56,'NINFO'
, 57,'RKEY'
, 58,'TALINK'
, 59,'CDS'
, 60,'CDNSKEY'
, 61,'OPENPGPKEY'
, 62,'CSYNC'
, 63,'ZONEMD'
, 64,'SVCB'
, 65,'HTTPS'
, 99,'SPF'
, 100,'UINFO'
, 101,'UID'
, 102,'GID'
, 103,'UNSPEC'
, 104,'NID'
, 105,'L32'
, 106,'L64'
, 107,'LP'
, 108,'EUI48'
, 109,'EUI64'
, 249,'TKEY'
, 250,'TSIG'
, 251,'IXFR'
, 252,'AXFR'
, 253,'MAILB'
, 254,'MAILA'
, 255,'*'
, 256,'URI'
, 257,'CAA'
, 259,'DOA'
, 32768,'TA'
, 32769,'DLV'
];
NXLog_DNS_Server_CL | where not(disabled)
| where EventID_d < 281
Expand All @@ -181,9 +235,10 @@ ParserQuery: |
DnsResponseCode=toint(DnsResponseCode),
SrcPortNumber=toint(Port_s),
DvcHostname=Dvc,
DvcIpAddr=iff(HostIP_s == "","0.0.0.0",HostIP_s),
vakohl marked this conversation as resolved.
Show resolved Hide resolved
EventEndTime=EventStartTime,
EventProduct = "DNS Server",
EventSchemaVersion = "0.1.3",
EventSchemaVersion = "0.1.7",
EventVendor = "Microsoft",
EventSchema = "Dns",
EventCount = int(1),
Expand Down Expand Up @@ -211,11 +266,11 @@ ParserQuery: |
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
| extend
| extend
vakohl marked this conversation as resolved.
Show resolved Hide resolved
// Aliases
IpAddr = SrcIpAddr,
Src = SrcIpAddr
| project-away
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData
};
ASimDnsMicrosoftNXLog(disabled)
};
ASimDnsMicrosoftNXLog(disabled)
vakohl marked this conversation as resolved.
Show resolved Hide resolved
76 changes: 63 additions & 13 deletions Parsers/ASimDns/Parsers/vimDnsMicrosoftNXlog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
Parser:
Title: DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog
Version: '0.4'
LastUpdated: Dec 11 2022
Version: '0.5'
LastUpdated: Jul 10 2023
Product:
Name: MS DNS Events
Normalization:
Schema: Dns
Version: '0.1.3'
Version: '0.1.7'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/ASimDnsDoc
Expand Down Expand Up @@ -190,8 +190,62 @@ ParserQuery: |
, 29,'LOC'
, 30,'NXT'
, 31,'EID'
, 32,'NIMLOC'
, 32,'NB'
, 33,'SRV'
, 34,'ATMA'
vakohl marked this conversation as resolved.
Show resolved Hide resolved
, 35,'NAPTR'
, 36,'KX'
, 37,'CERT'
, 38,'A6'
, 39,'DNAME'
, 40,'SINK'
, 41,'OP'
, 42,'APL'
, 43,'DS'
, 44,'SSHFP'
, 45,'IPSECKEY'
, 46,'RRSIG'
, 47,'NSEC'
, 48,'DNSKEY'
, 49,'DHCID'
, 50,'NSEC3'
, 51,'NSEC3PARAM'
, 52,'TLSA'
, 53,'SMIMEA'
, 55,'HIP'
, 56,'NINFO'
, 57,'RKEY'
, 58,'TALINK'
, 59,'CDS'
, 60,'CDNSKEY'
, 61,'OPENPGPKEY'
, 62,'CSYNC'
, 63,'ZONEMD'
, 64,'SVCB'
, 65,'HTTPS'
, 99,'SPF'
, 100,'UINFO'
, 101,'UID'
, 102,'GID'
, 103,'UNSPEC'
, 104,'NID'
, 105,'L32'
, 106,'L64'
, 107,'LP'
, 108,'EUI48'
, 109,'EUI64'
, 249,'TKEY'
, 250,'TSIG'
, 251,'IXFR'
, 252,'AXFR'
, 253,'MAILB'
, 254,'MAILA'
, 255,'*'
, 256,'URI'
, 257,'CAA'
, 259,'DOA'
, 32768,'TA'
, 32769,'DLV'
];
NXLog_DNS_Server_CL | where not(disabled)
| where EventID_d < 281
Expand Down Expand Up @@ -228,9 +282,10 @@ ParserQuery: |
DnsResponseCode=toint(DnsResponseCode),
SrcPortNumber=toint(Port_s),
DvcHostname=Dvc,
DvcIpAddr=iff(HostIP_s == "","0.0.0.0",HostIP_s),
vakohl marked this conversation as resolved.
Show resolved Hide resolved
EventEndTime=EventStartTime,
EventProduct = "DNS Server",
EventSchemaVersion = "0.1.3",
EventSchemaVersion = "0.1.7",
EventVendor = "Microsoft",
EventSchema = "Dns",
EventCount = int(1),
Expand All @@ -239,6 +294,7 @@ ParserQuery: |
DnsFlagsAuthenticated = tobool(AD_s),
DnsFlagsAuthoritative = tobool(AA_s),
DnsFlagsRecursionDesired = tobool(RD_s)
| lookup EventTypeTable on EventOriginalType
vakohl marked this conversation as resolved.
Show resolved Hide resolved
| lookup EventSubTypeTable on EventOriginalType
| lookup EventResultTable on EventOriginalType
| lookup RCodeTable on DnsResponseCode
Expand All @@ -256,17 +312,11 @@ ParserQuery: |
, DnsQueryType between (110 .. 248), 'Unassigned'
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
| extend
// Aliases
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
// Backward compatibility
Query = DnsQuery,
QueryType = DnsQueryType,
QueryTypeName = DnsQueryTypeName,
ResponseCode = DnsResponseCode,
ResponseCodeName = DnsResponseCodeName
vakohl marked this conversation as resolved.
Show resolved Hide resolved
Src = SrcIpAddr
| project-away
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData
};
Expand Down