[Windows] DNS Analytical and Audit event support

[jamiehynds]

Description

Attackers are using DNS for data theft, denial-of-service, and other malicious activity. Proactive monitoring of DNS activity can help network administrators quickly detect and respond to these threats. The Domain Name System (DNS) provides a hierarchy of names for computers and services on the Internet or other networks. Its most noteworthy function is the translation of domain names such as example.com into IP addresses. DNS is required for the Internet to function, operates on a global scale, and is massively distributed.

Common types of DNS attacks include DNS hijacking, DNS tunnelling, Various denial-of-service (DoS) attacks and DNS cache poisoning.

By proactively monitoring DNS audit logs and query traffic, IT personnel can more quickly identify and respond to a DNS attack, reducing its impact.

Source: https://nxlog.co/whitepapers/dns-logging/

Architecture

Windows DNS Analytical logging is the most common event source that administrators and security analysts require visibility into. The analytical logs provide insight ito every DNS transaction that takes place internally and externally on a network. The logs rely on Event Tracing for WIndows (ETW) and are exposed via the Microsoft-Windows-DNSServer. For a deep dive on the architecture, see here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)

To provide full coverage of DNS events, we should also support DNS audit logs, which are written to Microsoft-Windows-DNS-Server/Audit event log, and doesn't rely on event tracing.

Questions

• Do we need a new Beat/input to ingest these events via Event Tracing for Windows?
• If event trace support isn't an option, is there an alternative to event tracing, such as using a PowerShell script to write to a file/event log? Are there performance implications there? Windows generally recommends tracing for these logs to ensure no performance impact on DNS servers given the volume of data these events can generate.
• ECS's DNS fieldset is limited to 18 fields currently. Given the detailed DNS logs provided by Windows DNS Server, more additional fields may be necessary.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to:

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[narph]

not sure how useful this is but linking here a previous attempt at etwbeat (collecting event tracing) https://github.com/narph/etwbeat based on docs https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing. In this case the provider is specified so this could simplify the implementation.

[nicpenning]

This would be an interesting approach for DNS logging. I would be interested to see this come to light.

For the DNS field set, they do exist unless you are referring to something else?

https://www.elastic.co/guide/en/ecs/current/ecs-dns.html

Today security teams can use Sysmon (or other EDRs) to monitor DNS at the client level but this sounds like a server level monitor that is much more detailed.

[jamiehynds]

Thanks for chiming in @nicpenning. I've adjusted the point on the DNS fieldset.

[chemamartinez]

Since the recent addition of the ETW input, DNS Server Audit logs can be collected by ETW and also Winlog input (through Windows Eventlog channel). I would like to remark the differences using both inputs in order to determine which input use for this integration:

• Event data: there exists some differences in the content of audit events depending on the chosen input:

Eventlog

    "winlog": {
      "computer_name": "EC2AMAZ-253CQ8C",
      "process": {
        "pid": 852,
        "thread": {
          "id": 1328
        }
      },
      "keywords": [
        "AUDIT_REC_ADMIN"
      ],
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "event_data": {
        "ZoneScope": "Default",
        "BufferSize": "16",
        "Type": "28",
        "VirtualizationID": ".",
        "Zone": "..Cache",
        "TTL": "0",
        "RDATA": "20010503BA3E00000000000000020030",
        "NAME": "A.ROOT-SERVERS.NET."
      },
      "opcode": "Info",
      "record_id": 8,
      "task": "ZONE_OP",
      "event_id": "515",
      "provider_guid": "{eb79061a-a566-4698-9119-3ed2807060e7}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-DNSServer",
      "user": {
        "identifier": "S-1-5-21-2397692938-4146434421-2570431792-500",
        "domain": "EC2AMAZ-253CQ8C",
        "name": "Administrator",
        "type": "User"
      }
    },
    "message": "A resource record of type 28, name A.ROOT-SERVERS.NET., TTL 0 and RDATA 0x20010503BA3E00000000000000020030 was created in scope Default of zone ..Cache. [virtualization instance: .].",

ETW

"winlog": {
      "process_id": "852",
      "thread_id": "6140",
      "task": "5",
      "keywords": "4611686018428436480",
      "provider_guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
      "session": "Elastic-DNSServer-Audit",
      "channel": "17",
      "flags": "576",
      "event_data": {
        "ZoneScope": "Default",
        "BufferSize": "22",
        "Type": "2",
        "VirtualizationID": ".",
        "Zone": "..Cache",
        "TTL": "0",
        "RDATA": "0x14422E524F4F542D534552564552532E4E45542E0000",
        "NAME": "@"
      },
      "opcode": "0",
      "version": 0,
      "activity_guid": "{00000000-0000-0000-0000-000000000000}"
    },

Focused on the event data (the rest of the event is similar for both inputs), we can see that we obtain better results from Eventlog. In particular, some fields are translated from the numerical code to its human-readable format (keywords, opcode or task). In addition, a message field is included in the event with a description.

• Regarding the available parameters when configuring the integration, currently the Eventlog API providers some options that are missing in the ETW API, such as filtering by event ID, ignore older events or preserver the original event. On the other hand, Analytical events must use the ETW input so the integration would be more homogeneous if both data streams would use the same input.

[nicpenning]

Does the Winlog apply to Filebeat as the source via Custom Windows Event logs as well?

[jamiehynds]

Thanks for continuing to work through this one @chemamartinez. Given that the Windows DNS events can be split across Analytical and Audit events, I think it makes sense to have a single 'Windows DNS' package which covers both. Two data streams will be needed, one for Analytical (ETW input) and one for Audit events (using winlog). Users can then easily onboard, map, parse and visualise their DNS data via a single package.