DNS Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
DNS Log Messages | Base Rule | General DNS Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
Header: Severity | <severity> | Text/String | N/A |
N/A | <objecttype> | Text/String | dns_log |
action | <action> | Text/String | This represents the verdict. If this reads allowed, the outbound unencrypted DNS request was allowed, and if it reads denied, it will have been blocked. A blocked DNS request will result in the requester not receiving a mapped numeric IP address for the requested domain. |
proto | <protname> | Text/String | This is the identified protocol as determined from the packet’s header information. Currently, this value will always show as UDP, since we only analyze DNS traffic riding over UDP on port 53. |
reason | <reason> | Text/String | The reason key provides the primary reason for the verdict. Values can be allowedlist, deniedlist, or policy. |
src | <sip> | IP Address | This is the source (requesting) protected IP address from the perspective of the unencrypted DNS request. |
dst | <dip> | IP Address | This is the external destination IP address from the perspective of the unencrypted DNS request. For example, when a protected IP initiates an unencrypted DNS request to a Google DNS server, then the Google DNS server is the destination. |
src_port | <sport> | Number | This is the source port, from the perspective of the local protected entity that generated the request. For most modern equipment, this will generally be a high-numbered port. |
dst_port | <dport> | Number | This is the destination port, from the perspective of the local protected entity that generated the request. Thus, it will always show as port 53, since we monitor DNS activity only on outbound UDP port 53. |
domain | <domainorigin> | Text/String | The domain requested for resolution as part of the unencrypted DNS request. |
dl_active | N/A | N/A | Displays, as a double quoted comma separated value list, any and all active (enabled) denied domain lists. |
dl_inactive | N/A | N/A | Displays, as a double quoted comma separated value list, any and all inactive (disabled) denied domain lists. |
al_active | N/A | N/A | Displays, as a double quoted comma separated value list, any and all active (enabled) allowed domain lists. |
al_inactive | N/A | N/A | Displays, as a double quoted comma separated value list, any and all inactive (disabled) allowed domain lists. |