Hey,
I've noticed that the rule DNS Activity to the Internet does not work with Elastic Endpoint data, even when I explicitly contact an external DNS server from my machines that are covered by Elastic Endpoint.
I dug a bit further, and it seems that
- on linux, no UDP traffic is captured at all, including DNS (53/udp)
- on Windows, it is captured through a sysmon-like interface, but without
destination.ip
information (see my other post: https://discuss.elastic.co/t/missing-dns-requests-on-windows-machine)
I understand that it's difficult to record UDP traffic because it can't be naturally aggregated into connections like TCP. I would love to see more comprehensive coverage of DNS activity on both windows and linux in the future though. Is this planned?
From personal experience investigating suspicious activity, it would be great to have full coverage of
dns.question.name
dns.answer.data
-
destination.ip
(of the DNS server), destination.port, network.protocol (DNS, DoT, DoH) process.name / executable
Especially the last part is crucial to tie together what process actually caused a lookup to a domain that is malicious.
Finally: Is there an official place to file requests for the Endpoint integration? It doesn't seem to be on Github.
Thanks!