Complete DNS activity coverage in endpoint

Hey,

I've noticed that the rule DNS Activity to the Internet does not work with Elastic Endpoint data, even when I explicitly contact an external DNS server from my machines that are covered by Elastic Endpoint.
I dug a bit further, and it seems that

I understand that it's difficult to record UDP traffic because it can't be naturally aggregated into connections like TCP. I would love to see more comprehensive coverage of DNS activity on both windows and linux in the future though. Is this planned?

From personal experience investigating suspicious activity, it would be great to have full coverage of

  • dns.question.name
  • dns.answer.data
  • destination.ip (of the DNS server), destination.port, network.protocol (DNS, DoT, DoH)
  • process.name / executable

Especially the last part is crucial to tie together what process actually caused a lookup to a domain that is malicious.

Finally: Is there an official place to file requests for the Endpoint integration? It doesn't seem to be on Github.

Thanks!

1 Like

Thanks @nemhods - this is great feedback. We are looking to improve our eventing collection and will take this input!

Really appreciate you working with endpoint.

Braden