In SEIM I can see the DNS requests coming out from my machine. Like when I'm visiting google it is logged here in SIEM --> Network --> DNS
I need the contrary, How can I see the DNS of the IP's visiting my machine? Like if some service trying to access my machine?
Thank you all!
Are you looking for reverse dns lookups? If so there is a logstash processor that can do that but it will slow down ingest.
Yes it should be reverse dns lookup, but can't this be done via packetbeat.yml ? Or is there any other solution other than logstash config?
Suppose someone is ingesting directly to elasticsearch without logstash, wouldn't be there any solution for him?
I'm not tracking a way for packetbeat to do that natively. It could potentially decrease performance drastically.
1- Do you have an example of of setting this up?
2- Is it going to add a new field in kibana or it will replace one?
As I said, there is no Beats processor to do a dns lookup of and ip or fqdn. There is a logstash plugin, Dns filter plugin | Logstash Reference [7.12] | Elastic, that can do it but once again it can cause significant performance impacts since it has to wait for the dbs query response.
Many thanks will give a shot and test.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.