How to change query in SIEM

tatdat · October 17, 2019, 6:21pm

Im using Elastic stack 7.4 and stup auditbeat, filebeat, packetbeat ready.
Im focus on SIEM -> network, in Top DNS domains panel, i saw , default get top root domain not real domain. ( dns.question.registered_domain instead of dns.question.name)

For example, server query domain abc.xyz.com. In Top DNS domains panel will show xyz.com. It not good, When i use timeline, drag and drop xyz.com, get many result, many event is unrelated. It can be list down aaa.xyz.com, bbb.xyz.com.

How to change query in SIEM panel ?
Thank

{
  "aggregations": {
    "dns_count": {
      "cardinality": {
        "field": "dns.question.registered_domain"
      }
    },
    "dns_name_query_count": {
      "terms": {
        "field": "dns.question.registered_domain",
        "size": 10,
        "order": {
          "unique_domains": "desc"
        }
      },
      "aggs": {
        "unique_domains": {
          "cardinality": {
            "field": "dns.question.name"
          }
        },
        "dns_bytes_in": {
          "sum": {
            "field": "source.bytes"
          }
        },
        "dns_bytes_out": {
          "sum": {
            "field": "destination.bytes"
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": 1571249363494,
              "lte": 1571335763494
            }
          }
        }
      ],
      "must_not": [
        {
          "term": {
            "dns.question.type": {
              "value": "PTR"
            }
          }
        }
      ]
    }
  }
}

cwurm · October 18, 2019, 11:19am

Hi @tatdat, there currently is no way to change the queries used in the SIEM app. You could instead create a table visualization and view it on a dashboard, would that work?

tatdat · October 21, 2019, 2:32am

I found solution. In timeline, select field need to search, and drag & drop value to timeline again.
Love this timeline, very powerful. Thank Elastic SIEM team!

system · November 18, 2019, 2:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS And IDS SIEM Data - Filebeat Elasticsearch Query Issue Elasticsearch	2	384	April 24, 2020
Change siem default query for index? Kibana	2	316	May 11, 2020
Zeek DNS Logs Into Top DNS Domains Section SIEM	2	641	August 26, 2019
DNS Check Malware SIEM	9	667	August 3, 2020
SIEM, Auditbeat Queries SIEM	1	305	October 20, 2020

How to change query in SIEM

Related topics