Description
openedon Jul 3, 2024
In Security Solution > Network > DNS tab. dns.question.registered_domain the DNS histogram is looking for is not provided by Elastic Defend (dataset endpoint.events.network) by default. Users have to manually create an ingest pipeline to add the field from dns.question.name to visualise the chart successfully. We haven't got any guidance on the page to let users know how to generate this field.
Therefore would like to create a doc to document this solution and add its link to Security Solution's network page. Please find the issue referred below.
query:
{
"aggs": {
"0": {
"terms": {
"field": "dns.question.registered_domain",
"order": {
"2": "desc"
},
"size": 10,
"shard_size": 1000
},
"aggs": {
"1": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30m",
"time_zone": "Europe/London",
"extended_bounds": {
"min": 1719961200000,
"max": 1720047599999
}
},
"aggs": {
"2": {
"cardinality": {
"field": "dns.question.name"
}
}
}
},
"2": {
"cardinality": {
"field": "dns.question.name"
}
}
}
}
},
"size": 0,
"runtime_mappings": {},
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"_index": "auditbeat-*"
}
},
{
"match_phrase": {
"_index": "filebeat-*"
}
},
{
"match_phrase": {
"_index": "logs-*"
}
},
{
"match_phrase": {
"_index": "packetbeat-*"
}
},
{
"match_phrase": {
"_index": "winlogbeat-*"
}
}
],
"minimum_should_match": 1
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2024-07-02T23:00:00.000Z",
"lte": "2024-07-03T22:59:59.999Z"
}
}
}
],
"should": [],
"must_not": [
{
"match_phrase": {
"dns.question.type": "PTR"
}
}
]
}
}
}
Required ingest pipeline:
Suggested option 1: Update the query here to use dns.question.name
Suggested option 2: Add a link and doc to guide user how to add the dns.question.register_domain field.
