I've recently started getting familiar with Elastic Security. I'm currently using the 14-day free trial and I have a very small setup with a single Windows 10 machine enrolled as an agent.
When I click on Security > Network > DNS (in Kibana), the graph titled "Top domains by dns.question.registered_domain" is completely blank, with the text "All values returned zero" in the middle of it. The table beneath titled "Top DNS domains" is also completely blank. Everything under the "HTTP" and "TLS" tabs are completely empty as well.
I've gone to look at the raw logs and I see that the DNS request logs are coming in, but the dns.question.registered_domain field does not exist in the logs. Could anyone help or point me to documentation where I could find a way to get this field in? I've looked around but everything I've found seems to be related to configuring specific Beats and not the single agent.
It would be great if anyone had any help for me with the TLS and HTTP tabs as well. I would like to get a bit more familiar with JA3 and I think this could be useful.
I think the DNS request above kinda shows why this field is important from a security perspective. There are so many subdomains and sub-sub-subdomains on windowsupdate.com, but It would be valuable for me to be able to do some analysis based on just the "windowsupdate.com" and determine that this is a safe domain and move on. This would be much faster than trying to follow every single 4-subdomains-deep name, which I'm sure would change all the time for things like Windows Update, OS or web app telemetry services, etc.
Also I kinda expect the default things to work out of the box LOL.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
