DNS Sysmon

Thaynara Soares

unread,

Aug 1, 2024, 3:35:41 PM8/1/24

to Wazuh | Mailing List

I installed sysmon in my AD and it is generating dns sysmon logs but these logs do not appear on the wazuh panel

Config local_rules

<group name="windows,sysmon,">
<rule id="100023" level="4">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>
</group>

Log Sysmon

- <System>

<Channel>Microsoft-Windows-Sysmon/Operational</Channel>

</System>

- <EventData>

<Data Name="Image"****

</EventData>

</Event>

Luis Daniel Avendaño Larios

unread,

Aug 1, 2024, 5:10:34 PM8/1/24

to Wazuh | Mailing List

Hi Thaynara,

The DNS query events are already being triggered by rule 61650, If you want to get alerts of this event the correct way will be to create an overwrite of this rule.

<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query event</description>
<options>no_full_log</options>
<group>sysmon_event_22,</group>
</rule>

</group>

Reference: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules

I hope this helps, let me know if you need anything else.

Regards,

Luis Avendaño.

Message has been deleted

Thaynara Soares

unread,

Aug 1, 2024, 5:36:24 PM8/1/24

to Wazuh | Mailing List

It worked, thank you

Reply all

Reply to author

Forward