Microsoft DNS Server integration - remove dot at domainn name's end

Hi!
Could someone point me where to look: in Microsoft DNS Server index, there is a field with requested domain name - dns.question.name. It contains domain name that was requested by client. The only problem is that after parsing from oroginal Windows server log - it contains additional dot at the end:

lh3.google.com.

so it could look like:

lh3.google.com

Is there any way to get rid of this dot, so I could use this field in Custom match rule?
Thanks a lot in advance.

PS: Just in case data_stream.dataset: microsoft_dnsserver.analytical

Hi @Zer0-cyber-web Welcome to the community.

What version of the Elastic Stack

What version of the integration

Can you turn on the preserve original event in the integration and see if that is part of the origin event?

Can you share one of the final JSON documents that show this behavior...

Please share

May or may not be a bug. Even if it is we can probably do a work around

It looks like this is part of the expected data

I asked internally as well.

Hi Stephen!
Thanks a lot for reply.
Elastic Stack I am using as part of Security Onion (2.4.160), Elastic version is 8.17.3.
Integration - Microsoft DNS Server v1.2.0 (that is the only available in my Integrations section, despite github has already v1.4.0)
I turned on "Preserve original event" in the integration, but don't see any event.original field at the moment...

Existing event json part:

"process": {
      "pid": 2644,
      "thread": {
        "id": 5820
      }
    },
    "winlog": {
      "keywords": [
        "RESPONSE_SUCCESS"
      ],
      "provider_guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
      "session": "Elastic-DNSServer-Analytical",
      "flags": "576",
      "channel": "16",
      "activity_id": "{00000000-0000-0000-0000-000000000000}",
      "opcode": "0",
      "version": 0
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "ead4219b-696a-4de9-9164-f702a6c832e4",
      "version": "8.17.3",
      "snapshot": false
    },
    "dns": {
      "response_code": "NoError",
      "question": {
        "name": "c.idealmedia.io.",
        "type": "A"
      },
      "id": "64509"
    },
    "destination": {
      "port": 56591,
      "ip": "192.168.8.246"
    },
    "microsoft_dnsserver": {
      "analytical": {
        "dnssec": "0",
        "packet_data": "0xFBFD8180000100020000000001630A696465616C6D6564696102696F0000010001C00C000100010000009400046812A442C00C0001000100000094000468128C0F",
        "destination": {},
        "description": "Response success",
        "additional_info": "VirtualizationInstance:.",
        "zone": "..Cache",
        "scope": "Default",
        "guid": "{036ED18C-DEF3-4505-9B82-9782568FCD03}",
      }

Hi @Zer0-cyber-web

Per Engineering

Trailing dots(.) are common in DNS data as this indicates it is a FQDN.
microsoft_dnsserver version 1.4.0 will populate dns.question.name field without the trailing dot. (PR Reference)

I think you need to focus on why you only have Version 1.2 of the integration... Did you trying update the integration? In my Environment 1.4 is available.

Hi Stephen.

Thank you.

Well, it is not about “why there is a dot”. For me it is about using this field in Indicator match rule, and this trailing dot does not allow to perform comparison. That is the only reason I started to look around.
Regarding version - is there any way to install new version manually? I don’t know why my integration page suggests only v1.2.0. Any ideas?

Show me the settings page,

No I am not sure why...

You can try installing it manually

In Kibana Dev Tools

POST kbn:/api/fleet/epm/packages/microsoft_dnsserver/1.4.0

Security Onion people says that is because they still use 8.17.3. And they think that v1.4.0 is available only from Elastic 8.19… Can this be a reason?
DevTools said “not found”.

зображення1894×390 37.1 KB

Settings page:

зображення1568×713 54.5 KB

This is a fresh Elastic Cloud 8.17.3 and Support Integration 1.4

Readme says :

The minimum kibana.version required is 8.13.0 .

I suspect your issue has something to do with the Integration Repository EPR I suspect not updating..

Screen Shot 2025-07-31 at 2.15.44 PM1464×952 32.5 KB

Screen Shot 2025-07-31 at 2.16.04 PM1920×1192 166 KB

If all else fails...

Clone the Elastic Integrations repostory

Built this Package

Upload it

Thank you. In fact - Security Onion seems to use they own repository, which contains only checked integrations. But they promised to update it in next release.