New sysmon event_id 22, DNS Query

Hi Everybody

I'm not much of a programmer, but I'm tempted to try to learn to submit some changes to winlogbeat, but would be interested in finding out if I'm doing this right. Newer versions of sysmon added event_id 22, which is a DNS query by a specific process.

I've modified the winlogbeat-sysmon.js file to rename fields based on Here's what I've changed winlogbeat\sysmon\config\winlogbeat-sysmon.js, added:

    var event22 = new processor.Chain()
        fields: [
            {from: "winlog.event_data.UtcTime", to: "@timestamp"},
            {from: "winlog.event_data.ProcessGuid", to: "process.entity_id"},
            {from: "winlog.event_data.ProcessId", to: "", type: "long"},
            {from: "winlog.event_data.Image", to: "process.executable"},
			{from: "winlog.event_data.QueryName", to: ""},
			{from: "winlog.event_data.QueryResults", to: "dns.answers"},
        mode: "rename",
        ignore_missing: true,
        fail_on_error: false,
	// Event ID 22 - Dns Query
	22: event22.Run,

Does this look good? I'm not sure if this complies with the ECS format. I'd also like to get this contributed to the github repo, but that might take too much time for me.

Hi Ian, support for event ID 22 was added in This hasn't been released yet. It uses the fields proposed in

That's great to see. It looks much better than what I did. Now I just have to decide if I should wait for the release, or compile from source.

Thanks for the help


Hey, I tried this today. Compiled from 8/27/2019 github. I have sysmon 10 running and the dns requests are being logged as event id 22. Looking at elasticsearch, it looks like the events are being forwarded. :+1:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.