Zeek DNS Logs Into Top DNS Domains Section

Is there a way to get the data from the Zeek DNS logs into the Top DNS Domains panel in the SIEM?

Are you using the Zeek module in Filebeat? At the moment, it does not yet support ECS but uses its own format, and so the data wouldn't show up. We're working on adding DNS to ECS (https://github.com/elastic/ecs/pull/438), and then we can move the Zeek module to use those common fields.

In the meantime, you could do your own mapping with Filebeat processors and/or an Ingest pipeline. The fields behind the columns of the Top DNS Domains table are:

  • dns.question.etld_plus_one
  • dns.question.name
  • source.bytes
  • destination.bytes
  • dns.question.type (e.g. PTR)