search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.48k stars 8.04k forks source link

[Security Solution] Network DNS histogram relies on dns.question.registred_domain field that's not provided by default integrations #187452

Open angorayc opened 4 days ago

angorayc commented 4 days ago

In Security Solution > Network > DNS tab. dns.question.registered_domain the DNS histogram is looking for is not provided by Elastic Defend (dataset endpoint.events.network) by default. Users have to manually create an ingest pipeline to add the field from dns.question.name to visualise the chart successfully. We haven't got any guidance on the page to let users know how to generate this field. Therefore would like to create a doc to document this solution and add its link to Security Solution's network page. Please find the issue referred below.

Screenshot 2024-07-03 at 10 13 10

query:

{
  "aggs": {
    "0": {
      "terms": {
        "field": "dns.question.registered_domain",
        "order": {
          "2": "desc"
        },
        "size": 10,
        "shard_size": 1000
      },
      "aggs": {
        "1": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "30m",
            "time_zone": "Europe/London",
            "extended_bounds": {
              "min": 1719961200000,
              "max": 1720047599999
            }
          },
          "aggs": {
            "2": {
              "cardinality": {
                "field": "dns.question.name"
              }
            }
          }
        },
        "2": {
          "cardinality": {
            "field": "dns.question.name"
          }
        }
      }
    }
  },
  "size": 0,
  "runtime_mappings": {},
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "_index": "auditbeat-*"
                }
              },
              {
                "match_phrase": {
                  "_index": "filebeat-*"
                }
              },
              {
                "match_phrase": {
                  "_index": "logs-*"
                }
              },
              {
                "match_phrase": {
                  "_index": "packetbeat-*"
                }
              },
              {
                "match_phrase": {
                  "_index": "winlogbeat-*"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2024-07-02T23:00:00.000Z",
              "lte": "2024-07-03T22:59:59.999Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "dns.question.type": "PTR"
          }
        }
      ]
    }
  }
}

Required ingest pipeline:

Screenshot 2024-07-02 at 17 12 06

~Suggested option 1: Update the query here to use dns.question.name~ Suggested option 2: Add a link and doc to guide user how to add the dns.question.register_domain field.

elasticmachine commented 4 days ago

Pinging @elastic/security-threat-hunting-explore (Team:Threat Hunting:Explore)