SwiftOnSecurity
commented
3 years ago Hi @ivicaagatunovic this has to be a feature request here
Closed ivicaagatunovic closed 3 years ago
SwiftOnSecurity
commented
3 years ago Hi @ivicaagatunovic this has to be a feature request here
In our environment we are using Sysmon v13.01 with enabled Event ID 22 which generated a lot of DNS logs storm. Is it possible to somehow exclude / filter out DNS queries so machine doesn't log localhost resolving. In sysmon logs I see majority of DNS events are coming from machine trying to resolve itself (QueryName: "localmachinename"). The following peace of code under the DNS Query Section in Sysmon config file is already included but doesn't apply since hostnames are unique and doesn't match "localhost" or "localmachine":
<DnsQuery onmatch="exclude"><QueryName condition="is">..localmachine</QueryName><QueryName condition="is">localhost</QueryName>Any ideas how this can be solved?
Thanks, Ivica