Sysmon 10 & DNS Queries
On June 19th Mark Russinovich tweeted that the release of Sysmon version 10 will include DNS query logging. Packetbeat is currently being utilized for capturing DNS queries but with the addition of DNS queries in Sysmon this may change.
I have started upgrading sysmon in our environment. I am using the base of SwiftOnSecurity’s AlphaVersion for the new configuration file with some changes to fit better in our environment. The Github repository is located here https://github.com/SwiftOnSecurity/sysmon-config. Adding <DnsQuery onmatch=”exclude”/> to your existing configuration file should be enough but highly recommend against this method as it will be extremely noisy.
Currently the logs get shipped to Graylog3 via Winlogbeat and will be analyzed in Kibana and Graylog3.