- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS records traking
Hello,
I monitor my Windows active directory which is also my DNS server through the Fortisiem Windows agent, How can I detect the change made on the DNS side ( record deleting or changing)?
What types of Windows events ID should I look for when searching for those kinds of modifications made on the DNS server side?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you follow the recommendations from your original post?
https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150
If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit
Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply
You will then see:
Event Type: Win-DNS-515-Record-Create
Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."
Event Type: Win-DNS-516-Record-Delete
Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."
You can see the full list of DNS Audit events here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you follow the recommendations from your original post?
https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150
If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit
Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply
You will then see:
Event Type: Win-DNS-515-Record-Create
Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."
Event Type: Win-DNS-516-Record-Delete
Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."
You can see the full list of DNS Audit events here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I made the first suggestion and it works perfectly, I just have a question about the type of records in the msg we found " A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local." what are the signification of those types 1 2 or 5 .?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe these are simply DNS Record Types .. you can see a list here..
https://en.wikipedia.org/wiki/List_of_DNS_record_types
ie: Type 1 is an A record etc ...
