So Discover searches are one option but you can also drag signals to the timeline (in the SIEM) in order to investigate signals like these. Once in the timeline, you can also search and sift data there. If you find the network connection events for the DNS port 53 traffic from Auditbeat or Winlogbeat they will contain details of the process which made the calls and sent the packets. You'd need Sysmon event 2, "Network Connect", from Windows hosts, or an equivalent event.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.