I'm investigating outbound DNS connections from an Active Directory Domain Controller. It contacted the DNS server tm1.edgedns-tm.info which is apparently owned by Microsoft. Nothing overly suspicious, but I wanted to check which process did this request, ignoring the system-wide DNS setting.
So I go to check logs from my Elastic Endpoint Integration (7.15 Agent, integration v1.1.1), but there are no traces of a DNS request to that IP.
Maybe it is expected that some system-level DNS request may not be covered by the Endpoint Integration? E.g. requests sent by MS Defender which may be out of reach for the Elastic solution.
I'm fairly certain I searched for the correct parameters. My firewall logs state clearly that it was a connection to 188.8.131.52 (tm1.edgedns-tm.info) on port 53/udp, so nothing fancy. I even searched the entire "logs-*" pattern for
destination.ip: 184.108.40.206 with sufficiently large time frame - nothing came back. I do see DNS requests from the host in question, recorded by the endpoint integration. Just not to 220.127.116.11.
I can provide Endpoint logs, but I can already state that
%ProgramFiles\Elastic\Agent\data\elastic-agent-x\logs\elastic-agent-json.log contains only "information" level logs. Agent status is "healthy" in Fleet.