Windows DNS Server Log Activity
- Steve Challans
The Windows DNS Server Log Activity dashboard will show a summary of DNS lookups that are collected using the Snare agent log file collection feature, previously known as Epilog. As of version 5.2.0 the log monitoring collection feature is integrated into the base agent. Depending on the environment user client software if infected with a Trojan or malware will start to poll for specific hosts on the internet to download a payload or upload data. As part of this there are known black lists of these malicious sites and IP addresses. If you can collect the DNS debug logs from your Windows DNS Server or UNIX servers then we can correlate the DNS lookups with these known bad sites. In the screen shot examples we show an example lookup to access a known malware site that when visited will try and download more malware to your client. If a system is trying to access one of these known sites it can be an indicator of compromise where the local AV if installed is not detecting it. Some parts of the dashboard only show data for the last 4 hours as some Windows systems can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.
The screen shows the summary of Domain records detected in the time filter selection, the activity over time and the number of systems that are performing the DNS lookups. By selecting any of the elements it will expose more data in the drill through so see the raw information on what domains and systems were accessing over time.
