IBM Security QRadar

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

In my deployment we have a maximum size defined for the dns debug log, so it is rotated automatically. This settings is in dns debug logging section

L:

------------------------------
Laszlo Pal
------------------------------

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

The DNS Analyser app requires you deploy a  QRadar QNI Appliance.  If you do not own the QNI Appliance add -on for QRadar the DNS Analyser application will not provide the value it was created for. IT appears you are trying to ingest DNS logs using the app, I suggest you read the documentation and you will clearly see the need for QNI.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

​Interesting.  No-where in the DNS Analyser documentation does it say that QNI is REQUIRED.  It says that if you want to ingest the flows, then QNI is needed, but it also says that it will work just fine without flows, just using events, even though it won't be so efficient.

------------------------------
Ross Wakelin
------------------------------

Original Message:
Sent: Mon December 02, 2019 08:19 AM
From: Richard Gingras
Subject: Windows DNS logs and DNS Analyser

The DNS Analyser app requires you deploy a  QRadar QNI Appliance.  If you do not own the QNI Appliance add -on for QRadar the DNS Analyser application will not provide the value it was created for. IT appears you are trying to ingest DNS logs using the app, I suggest you read the documentation and you will clearly see the need for QNI.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

As is mentioned in the IBM Knowledge Center, "The DNS Analyzer app ingests domain request data from both QNI flows and server logs". If I 'm not mistaken, there were previously mentions with earlier releases that you should opt to use either logs or flow.
That said, as Windows handles DNS logging currently, I do not think it is realistically viable for continuous use. Using QNI would enable you to get needed insight.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Mon December 02, 2019 03:39 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

​Interesting.  No-where in the DNS Analyser documentation does it say that QNI is REQUIRED.  It says that if you want to ingest the flows, then QNI is needed, but it also says that it will work just fine without flows, just using events, even though it won't be so efficient.

------------------------------
Ross Wakelin

Original Message:
Sent: Mon December 02, 2019 08:19 AM
From: Richard Gingras
Subject: Windows DNS logs and DNS Analyser

The DNS Analyser app requires you deploy a  QRadar QNI Appliance.  If you do not own the QNI Appliance add -on for QRadar the DNS Analyser application will not provide the value it was created for. IT appears you are trying to ingest DNS logs using the app, I suggest you read the documentation and you will clearly see the need for QNI.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

We are facing with the same issue. Has anyone a solution how to ingest Microsoft DNS logs continuously in QRadar?

------------------------------
Rouven Schierscher
------------------------------

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

The DNS analyzer app is designed to work with a QRadar Network Insight (QNI) appliance which also requires you have flows as part of your deployment. If you do not have both in your deployment that is your issue in getting the value from the app.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Thu April 02, 2020 11:26 AM
From: Rouven Schierscher
Subject: Windows DNS logs and DNS Analyser

We are facing with the same issue. Has anyone a solution how to ingest Microsoft DNS logs continuously in QRadar?

------------------------------
Rouven Schierscher

Original Message:
Sent: Tue November 26, 2019 10:21 PM
From: Ross Wakelin
Subject: Windows DNS logs and DNS Analyser

Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks

Ross

------------------------------
Ross Wakelin
------------------------------

Original Message------

The DNS analyzer app is designed to work with a QRadar Network Insight (QNI) appliance which also requires you have flows as part of your deployment. If you do not have both in your deployment that is your issue in getting the value from the app.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

While QRadar relies on other inputs in using the app, for the DNS Analyzer app to detect exfiltration through DNS requires an QNI Appliance. Add one and you will gain the visibility you seek.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Fri April 03, 2020 03:25 AM
From: Laszlo Pal
Subject: Windows DNS logs and DNS Analyser

Yes, ONE of the source is Network Insight, but it is also using Netflow and Windows DNS logs as it is stated in the documentation.,

 

However, I agree there are mystical issues regarding Windows DNS logs like this

• Wincollect agent can't collect the logs from Core server for unknown reason
• Most recently one of the Win2016 server failing to send logs for unknown reason

 

 

Pál László

Security Architect

 

Original Message------

The DNS analyzer app is designed to work with a QRadar Network Insight (QNI) appliance which also requires you have flows as part of your deployment. If you do not have both in your deployment that is your issue in getting the value from the app.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------