DNS Check Malware

hi all,

how to separate package dns request malware and bitcoin polling in SIEM ?

Hi,

How are you receiving these logs? Are you using the Elastic endpoint to collect this data or are relying on an IDS & Proxy implementation?

I send packetbeat to elastic and I want to separate the malware domain in SIEM,

can you do it this way?

Oh, I see! So, a static lookup against a set of domains that you mention?

Yes, it should be possible. You can create signals for your query and then observe triggers if any. Have a look at the signal to detect IRC activity to the internet.

Detection rule alerting SIEM not runing in the elastic subscriptions opensource ?

is there any other way ?

Yes! Use the API to query data, in a scheduled manner and then perform alerting through an external API integration.

You could also look at some third-party libraries. Everything including Elastic SIEM has it's limitations. You could decide, what is acceptable and work on it.

Thank you I will try to use elastic alerts to do domain detection :grinning:

We have found something similar for DHCP here https://zeglory.com/monitoring-dhcp-using-elk/ but would be very interested in getting this for DNS as well. Could you kindly share something describing the solution in details?

We have found something similar for DHCP here https://zeglory.com/monitoring-dhcp-using-elk/ but would be very interested in getting this for DNS as well. Could you kindly share something describing the solution in details?