...
The sample configuration which starts are line 836 for Event ID 22 for DNS Query covers the basic filtering and setup needs. You can apply this configuration as is or tune it for your specific network and filter out other domains. Install the new configuration XML files by running “sysmon64.exe -c config.xml”.
Once installed you will start to see Event ID 22 showing up which the Snare agent will collect and forward to Snare Central or other SIEM. The DNS event ID 22 will show if the query was successful or unsuccessful, caches or not. The events will show the full domain loop up details as well as the user and command that was doing the DNS lookup.
Filtering of these events can be setup in the agent for the specific custom event location, event id's or strings in the event can be excluded using the normal agent event exclude features.