Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.

The Core DNS Processing Illuminate content pack includes supplementary processing of DNS-related messages and a Spotlight pack to gain additional insights in to DNS-related log messages.

Requirement(s)

  • A log source that includes DNS-related messages, either analyzed DNS traffic including DNS queries and/or network traffic logs that include traffic associated with DNS servers.
  • Graylog Server with a valid security license, running Graylog version 5.1.11 or later.

Graylog Server Requirement

The Core DNS Processing Illuminate pack requires a Graylog Security license and Graylog 5.1.11 or later due to integration with the Graylog Security Asset Enrichment functionality and the entropy generation functionality.

Background

DNS

DNS, or the Domain Name System, is one of the important protocols in modern networks and is also an important data point for security monitoring and incident response.

Features

Asset Integration

This pack, when enabled, will work with the Asset Enrichment feature that is part of Graylog Security. It will allow users to identify approved DNS servers, allowing for identification of traffic to non-approved DNS servers.

DNS Request Calculations

This pack will enable the calculation of multiple data points related to DNS requests:

  • DNS Query Request Length
  • DNS Query Response Length
  • DNS Query Entropy
  • DNS Server Approval Status

DNS Query Request/Response Length

This is a simple count of the number of characters in a DNS request or response. This is valuable as it can be used, when measured in aggregate, to expose some attacks that use DNS for data exfiltration and command control.

DNS Query Length

When the field query_request exists, this pack will generate the field query_request_length.

DNS Query Response Length

When the field query_response exists, this pack will generate the field query_response_length.

The query response length is an approximate measurement of the response length. DNS responses can often include multiple values with a separator character. This measurement will include those characters.

DNS Query Request Entropy Calculations

This pack will calculate the entropy, using Shannon's entropy algorithm for the value of the field query_response when that field exists, and assign it to the field query_request_entropy.

Entropy, in this context, is the measurement of the variability of the data. Some attacks that use Domain Generation Algorithms (DGA) can be detected by measuring the entropy of the DNS request value.

DNS Server Approval Status

This pack will work in concert with the Asset Enrichment functionality included with Graylog Server and identify systems that have been identified as approved DNS servers. This can be used to detect misconfigured/unauthorized devices attached to your network and increase your situational awareness with respect to the operation of your network.

This pack will add the field approved_dns_server with the boolean value of true if the device has been identified as an approved DNS server and false if it has not been identified as approved. Note that until a server has been identified as an approved DNS server that all DNS traffic will be considered unapproved.

Configuring Approved DNS Servers

Warning: Some DNS log sources, such as Sysmon, do not log the destination server. These sources cannot be used to determine if the server is considered "approved."

Hint: It is possible to add approved external DNS server IPs in the assets page.

In order to define a device as an "approved" DNS server, it must be added to the asset list and assigned a category of approved_dns_servers.

  1. In the Graylog web interface, select the drop-down menu Security and click on the Assets item in this menu.

  2. If there are already assets defined, look for an existing entry for the DNS server to assign approval to. If there is already an asset entry for the DNS server to approve:

    1. Click on the asset entry.
    2. Click in or tab to the Categories text box.
    3. Enter the text approved_dns_servers and hit the Enter key.
    4. Click the Next button repeatedly until you see the Save Asset button.
    5. Click on the Save Asset button.

  3. If there is no existing asset entry:

    1. Click on the New Asset button.
    2. Click on or tab to the Asset Name text box and enter an asset name.
    3. Click on or tab to the IP Addresses text box.
    4. Enter the IP address associated with the DNS server and hit the Enter button.
    5. Repeat this step for any additional IP addresses associated with the approved DNS server.
    6. Add any relevant information to the other fields for this asset.
    7. Click on the Next button to advance to the next page of the asset entry form.
    8. Fill out any of the additional fields desired in the asset entry, clicking the Next button when completed.
    9. Repeat this process for each page of the asset entry dialog.
    10. Click the Save Entry button on the last page of the asset entry dialog.

DNS Processing Spotlight Content Pack

The DNS Processing Spotlight content pack contains a dashboard that provides insights in to DNS activity collected in Graylog

  • Dashboard: Illuminate:DNS Analysis

    • DNS Activity Summary tab: A high-level view of categorized DNS events.

    • DNS Assets tab: Review DNS traffic to approved/unapproved DNS servers.