Hello,
I monitor my Windows active directory which is also my DNS server through the Fortisiem Windows agent, How can I detect the change made on the DNS side ( record deleting or changing)?
What types of Windows events ID should I look for when searching for those kinds of modifications made on the DNS server side?
Solved! Go to Solution.
Did you follow the recommendations from your original post?
https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150
If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit
Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply
You will then see:
Event Type: Win-DNS-515-Record-Create
Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."
Event Type: Win-DNS-516-Record-Delete
Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."
You can see the full list of DNS Audit events here
Did you follow the recommendations from your original post?
https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150
If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit
Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply
You will then see:
Event Type: Win-DNS-515-Record-Create
Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."
Event Type: Win-DNS-516-Record-Delete
Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."
You can see the full list of DNS Audit events here
Hello, I made the first suggestion and it works perfectly, I just have a question about the type of records in the msg we found " A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local." what are the signification of those types 1 2 or 5 .?
I believe these are simply DNS Record Types .. you can see a list here..
https://en.wikipedia.org/wiki/List_of_DNS_record_types
ie: Type 1 is an A record etc ...
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.