Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

New Contributor III

FortiSIEM - Tuning DNS built-in rules using the Networks: Approved Public DNS Folder

Tuning for the following Built in system rules

(s) End User DNS Queries to Unauthorized DNS Servers
(s) Outbound Traffic to Unapproved Public DNS Servers

The FortiSIEM has many built in rules to start detecting and alerting on events of interest.
Unfortunately some times we do not check these rules for organizational alignment or truly understand the rule logic.
We deconstructed the above rules and noticed the following common conditional attribute

AND Destination IP NOT IN Networks: Approved Public DNS

This condition would allow any DNS server IP defined in the folder Networks/Approved Public DNS to be "whitelisted",
So as per an organizational policy of allowed DNS servers, one could update this folder and tune for what to trigger on outside of what is allowed by that organization.

The problem arises after FortiSIEM 5.4 when this folder gets automatically updated with publicly available DNS servers.
In version 6.1.1 for example the list is over 1400 DNS servers. In perspective, Before 5.4 there were only around 7 entries in this folder.
This would in reality not trigger the above rules if any device was using DNS servers from say outside the organization or country.
The allowed list for DNS servers is usually small and triggering on DNS traffic outside of these is a great way to detect potential malicious behavior.

The suggested Fix,
Delete this entry in each above rule for starters. This will allow the rules to trigger on DNS servers outside of the
ones defined under Applications/DNS which is defined as the following condition included on those rules

AND Source IP NOT IN Applications: DNS

If you do have other authorized DNS servers besides ones internal to organization and beyond what are under Applications/DNS ,
Then you should use a watchlist and define those there. you can do this by adding a conditional attribute to those rules similar to the sample below;

AND Destination IP NOT IN DyWatchLists: Approved DNS servers

in this way an alert will trigger when DNS traffic is seen outside what has been defined as "normal" operational baselines, This will help greatly reduce the false positives.

hope this helps. Please let me know your feedback.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.