🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Microsoft DNS Integration Guide

integrations endpoints microsoft


This guide provides configuration instructions for Microsoft Windows Domain Name Server (DNS) logging in order to transmit the logs for security monitoring by other agents. Supported agents can be found at Connect Microsoft Windows Event Log.

The Secureworks® Taegis™ XDR On-Premises Data Collector accepts logs in the Snare over Syslog format.

Note

Secureworks® Taegis™ XDR parses the Microsoft DNS debug format that can be collected by Snare or NXLog CE.

Microsoft DNS Analytics trace events are not currently supported by Secureworks® Taegis™ XDR.

Connectivity Requirements

Source Destination Port/Protocol
Windows server Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Auth DHCP DNS File HTTP Management Netflow NIDS Process Thirdparty
Microsoft DNS     D              

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Logging Configuration Instructions

Logging configuration depends on the version of Windows DNS you are running.

Important

The data source must be configured to report timestamps as UTC to ensure that Secureworks® Taegis™ XDR reports the correct time zone.

Note

NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.

Configuring Windows DNS 2008+ Debug Logging

Note

These steps support Microsoft Windows DNS versions 2008 and later.

Important

As with many diagnostic functions, there may be performance issues when enabling DNS debugging. If you are unsure how enabling Microsoft DNS debug logs will impact your system, Secureworks suggests enabling them on a non-critical system first to determine the impact.

Note that customers who have integrated a Secureworks® Taegis™ XDR-supported Endpoint, Detection, and Response (EDR) solution may forgo Microsoft DNS debug logs, as the EDR solution will provide DNS telemetry sufficient to power Secureworks® Taegis™ XDR detectors for those systems. However, customers should consider other non-EDR systems in their infrastructure that may benefit from monitoring Microsoft DNS debug logs.

  1. From your Windows machine, go to Start > Programs > Administrative Tools > DNS.
  2. Within the DNS management console, right-click on the DNS server you are configuring and select Properties.

Open DNS server Properties.

Open DNS server Properties

  1. Select the Debug Logging tab.

Select the Debug Logging Tab.

Select the Debug Logging Tab

  1. Select the following fields:

    • Packet direction — Outgoing and Incoming
    • Transport protocol — UDP and TCP
    • Packet contents — Queries/Transfers and Updates
    • Packet type — Request and Response

Select the appropriate fields.

Select the Appropriate Fields

  1. Under Log File, the default directory path for the log file is C:\WINDOWS\system32\dns\dns.log.

Note

Please note if your log file path is different than the default, as the path is needed when configuring your logging agent.

  1. Select OK to save your changes. You can now configure your logging agent.

 

On this page: