How do I get the dns.request.registerd_name field?

Hello all,

I've recently started getting familiar with Elastic Security. I'm currently using the 14-day free trial and I have a very small setup with a single Windows 10 machine enrolled as an agent.

When I click on Security > Network > DNS (in Kibana), the graph titled "Top domains by dns.question.registered_domain" is completely blank, with the text "All values returned zero" in the middle of it. The table beneath titled "Top DNS domains" is also completely blank. Everything under the "HTTP" and "TLS" tabs are completely empty as well.

I've gone to look at the raw logs and I see that the DNS request logs are coming in, but the dns.question.registered_domain field does not exist in the logs. Could anyone help or point me to documentation where I could find a way to get this field in? I've looked around but everything I've found seems to be related to configuring specific Beats and not the single agent.

It would be great if anyone had any help for me with the TLS and HTTP tabs as well. I would like to get a bit more familiar with JA3 and I think this could be useful.


What beats/modules/integrations are u using to ship data. Those will determine what fields are generated and enriched.

Thanks for responding Alex.

I'm using Elastic Agent, and no individual Beat.

I'm using the Endpoint Security integration. Interestingly, it has this dns.question.registered_domain field listed under "Exported fields."

In the integration settings, I have all Protections enabled and all Event Collections checked as well.

Are u getting other dns.* fields??

Yes I am. An example is in the screenshot below:

Screenshot from 2021-10-17 09-52-11

I think the DNS request above kinda shows why this field is important from a security perspective. There are so many subdomains and sub-sub-subdomains on, but It would be valuable for me to be able to do some analysis based on just the "" and determine that this is a safe domain and move on. This would be much faster than trying to follow every single 4-subdomains-deep name, which I'm sure would change all the time for things like Windows Update, OS or web app telemetry services, etc.

Also I kinda expect the default things to work out of the box LOL.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.