Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated the KQL function for parsing fields as normalized DNS ASim data per Ofer's instructions 

Created a new set of sample data that includes DvcIpAddr
Adjusted the example queries as needed for time slices that will match the new set of events
This commit is contained in:
John Kirch 2021-09-17 00:45:12 -05:00
Родитель 27c5d5df71
Коммит 63c3622d55
6 изменённых файлов: 40721 добавлений и 262 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

40694
Sample Data/Custom/DNS_Server_CL.json Executable file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

10
Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json
Просмотреть файл

@ -3,7 +3,7 @@
"title": "NXLog DNS Logs",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Azure Sentinel in real time.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
@ -13,8 +13,8 @@
],
"sampleQueries": [
{
"description" : "DNS Server Top 5 Domains by number of lookups",
"query": "NXLog_parsed_DNS_Server_ASim_view\n| sort by Lookups\n| take 5\n| render piechart title=\"Top 5 Domains by number of lookups\""
"description" : "DNS Server top 5 hostlookups",
"query": "NXLog_parsed_DNS_Server_ASim_view\n| summarize count() by Domain\n| take 5\n| render piechart title=\"Top 5 host lookups\""
},
{
"description" : "DNS Server Top 5 EventOriginalTypes (Event IDs)",
@ -22,7 +22,7 @@
},
{
"description" : "DNS Server analytical events per second (EPS)",
"query" : "NXLog_parsed_DNS_Server_ASim_view\n| where EventEndTime >= todatetime('2021-09-08 02:30')\n| where EventEndTime < todatetime('2021-09-08 03:00')\n| summarize EPS=count() by bin(EventEndTime, 1s)\n| render timechart title=\"DNS analytical events per second (EPS) - All event types\""
"query" : "NXLog_parsed_DNS_Server_ASim_view\n| where EventEndTime >= todatetime('2021-09-17 03:07')\n| where EventEndTime < todatetime('2021-09-18 03:14')\n| summarize EPS=count() by bin(EventEndTime, 1s)\n| render timechart title=\"DNS analytical events per second (EPS) - All event types\""
}
],
"dataTypes": [
@ -70,7 +70,7 @@
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.",
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities.",
"instructions": [
]
},

79
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt
Просмотреть файл

@ -1,79 +0,0 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Analytical_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Analytical_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Analytical_view = view () {
DNS_Server_CL
| where EventID_d < 281
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Analytical_view();

79
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt
Просмотреть файл

@ -1,79 +0,0 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Audit_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Audit_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Audit_view = view () {
DNS_Server_CL
| where EventID_d > 511
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Audit_view();

43
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt
Просмотреть файл

@ -42,8 +42,8 @@ let NXLog_parsed_DNS_Server_ASim_view = view () {
, 259, 'response'
, 260, 'request'
, 261, 'response'
, 262, 'request'
, 263, 'response'
, 262, 'response'
, 263, 'request'
, 264, 'response'
, 265, 'request'
, 266, 'request'
@ -53,14 +53,14 @@ let NXLog_parsed_DNS_Server_ASim_view = view () {
, 270, 'request'
, 271, 'response'
, 272, 'response'
, 273, 'response'
, 274, 'response'
, 273, 'request'
, 274, 'request'
, 275, 'response'
, 276, 'response'
, 277, 'response'
, 277, 'request'
, 278, 'response'
, 279, 'request'
, 280, 'request'
, 279, 'NA'
, 280, 'NA'
];
let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[
256, 'NA'
@ -68,30 +68,30 @@ let NXLog_parsed_DNS_Server_ASim_view = view () {
, 258, 'Failure'
, 259, 'Failure'
, 260, 'NA'
, 261, 'Success'
, 261, 'NA'
, 262, 'Failure'
, 263, 'Success'
, 264, 'Success'
, 263, 'NA'
, 264, 'Based on RCODE'
, 265, 'NA'
, 266, 'NA'
, 267, 'Success'
, 268, 'Success'
, 267, 'Based on RCODE'
, 268, 'Based on RCODE'
, 269, 'NA'
, 270, 'NA'
, 271, 'Success'
, 272, 'Success'
, 273, 'Success'
, 274, 'Success'
, 271, 'Based on RCODE'
, 272, 'Based on RCODE'
, 273, 'NA'
, 274, 'NA'
, 275, 'Success'
, 276, 'Success'
, 277, 'Success'
, 278, 'Success'
, 277, 'NA'
, 278, 'Based on RCODE'
, 279, 'NA'
, 280, 'NA'
];
let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[
0, 'NOERROR'
, 1, 'FORMERR'
0,'NOERROR'
, 1,'FORMERR'
, 2,'SERVFAIL'
, 3,'NXDOMAIN'
, 4,'NOTIMP'
@ -157,7 +157,7 @@ let NXLog_parsed_DNS_Server_ASim_view = view () {
DnsResponseCode=RCODE_s,
DnsResponseName=PacketData_s,
Dvc=Hostname_s,
DvcIpAddr=InterfaceIP_s,
DvcIpAddr=Host_IP_s,
EventOriginalType=EventID_d,
EventOriginalUid=GUID_g,
EventStartTime=EventTime_t,
@ -209,6 +209,7 @@ let NXLog_parsed_DNS_Server_ASim_view = view () {
EventType_s,
ExecutionProcessID_d,
ExecutionThreadID_d,
InterfaceIP_s,
Keywords_s,
OpcodeValue_d,
PolicyName_s,

78
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt
Просмотреть файл

@ -1,78 +0,0 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Server_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Server_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Server_view = view () {
DNS_Server_CL
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Server_view();