Azure-Sentinel/Parsers/bind9_syslog.txt

29 строки
1.6 KiB
Plaintext
Исходник Обычный вид История

2020-10-23 21:14:39 +03:00
// Title: BIND9 DNS syslog query parser
2020-10-23 21:10:15 +03:00
// Author: Microsoft
// Version: 1.0
// Last Updated: 10/23/2020
// Comment: Initial publish
//
// DESCRIPTION:
2020-10-23 21:14:39 +03:00
// This parser takes raw BIND9 DNS query logs from a Syslog data stream and parses the data into a normalized schema. It specifically parses the client IP and queried domain.
2020-10-23 21:10:15 +03:00
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
2020-10-23 21:14:39 +03:00
// 2. In the query window, on the 2nd line of the query, confirm the Facility of the logstream (usually "daemon", but check your BIND conf files). Run the query to validate data is being recieved and parsed.
2020-10-23 21:10:15 +03:00
// 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//
// LOG SAMPLES:
// This parser assumes the raw log are formatted as follows:
//
// Oct 23 16:32:52 nameserverhostname named[PID]: client @0x7ff34c4f32a0 x.x.x.x#port (example.com): query: example.com IN AAAA + (y.y.y.y)
//
// where x.x.x.x is the client IP and y.y.y.y is the dns server IP
//
//
Syslog
| where Facility == "daemon" and ProcessName == "named" and SyslogMessage contains "query"
| extend Domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})",1, tolower(SyslogMessage))
| extend ClientIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage)