GIM Category: name resolution
The Name Resolution category covers events where a system attempts to translate a hostname or service name into a network address. While this category is primarily focused on DNS today, it is designed to support other resolution protocols such as NBNS, LLMNR, or mDNS in the future.
Name resolution events are important for identifying which domains or services a system is attempting to reach. They are often analyzed to detect malicious domains, troubleshoot connectivity problems, and correlate higher-level network activity back to its origin.
dns request
DNS request events represent a system attempting to resolve a hostname or service name. These events capture the fact that a query was made to a DNS server, regardless of the eventual response.
They provide visibility into what domains or services a system is trying to reach, which can be critical for investigations, threat hunting, or identifying unusual communication patterns.
Required Fields
query_request
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
140000 |
name resolution |
name resolution.dns request |
dns query |
An attempt to resolve a hostname to a network address via DNS was made |
dns answer
DNS answer events represent a server’s response to a DNS query. Responses may indicate successful resolution (e.g., returning an IP address) or negative results such as NXDOMAIN or SERVFAIL, which are still considered valid answers.
Capturing both successful and unsuccessful responses allows analysts to track resolution outcomes, detect attempts to reach malicious or non-existent domains, and troubleshoot connectivity problems.
Required Fields
query_response
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
140200 |
name resolution |
name resolution.dns answer |
dns response |
An answer to a DNS request was provided |
error
DNS error events represent situations where a DNS query could not be completed because the server was unable to return any valid response. These errors are distinct from negative responses such as NXDOMAIN or SERVFAIL, which are valid answers.
Instead, they capture conditions such as transport failures, protocol violations, or server-side issues that prevent the query from being answered at all. Monitoring these events is useful for detecting infrastructure problems, misconfigurations, or disruptions in the resolution service.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
140300 |
name resolution |
name resolution.error |
dns error |
A DNS request has resulted in an error |
ddns update
DDNS update events represent attempts to modify DNS records dynamically, without requiring manual changes on the authoritative DNS server. This mechanism is often used in enterprise networks to allow clients or services to automatically register or update their own hostnames.
While common in environments with frequently changing devices (such as laptops or virtual machines), DDNS updates can also be abused by attackers to maintain control of malicious infrastructure or evade detection by rapidly changing domain-to-IP mappings.
Tracking DDNS updates is useful for identifying normal infrastructure activity and spotting unusual or unauthorized record changes.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
140500 |
name resolution |
name resolution.ddns update |
ddns update |
A request to update a dynamic DNS record entry was made |
default
The default subcategory is used for DNS or name resolution events that do not fit into a more specific subcategory such as request, answer, error, or DDNS update. These may include vendor-specific log formats, generalized informational messages, or cases where the event cannot be reliably classified.
By providing a catch-all, the default subcategory ensures that all name resolution activity is captured and normalized, even when detailed parsing is not possible.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
149999 |
name resolution |
name resolution.default |
dns message |
DNS-related messages |
