FortiSIEM Discussions
Taher11
New Contributor III

DNS records traking

Hello,

I monitor my Windows active directory which is also my DNS server through the Fortisiem Windows agent, How can I detect the change made on the DNS side ( record deleting or changing)?

What types of Windows events ID should I look for when searching for those kinds of modifications made on the DNS server side?

 

FortiSIEM 

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
1 Solution
cdurkin_FTNT
Staff
Staff

Did you follow the recommendations from your original post?

https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150

 

If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit

 

Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply

 

You will then see:

 

Event Type: Win-DNS-515-Record-Create

Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."


Event Type: Win-DNS-516-Record-Delete

Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."

 

You can see the full list of DNS Audit events here

 

 

View solution in original post

3 REPLIES 3
cdurkin_FTNT
Staff
Staff

Did you follow the recommendations from your original post?

https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150

 

If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit

 

Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply

 

You will then see:

 

Event Type: Win-DNS-515-Record-Create

Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."


Event Type: Win-DNS-516-Record-Delete

Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."

 

You can see the full list of DNS Audit events here

 

 

Taher11
New Contributor III

Hello, I made the first suggestion and it works perfectly, I just have a question about the type of records in the msg we found " A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local." what are the signification of those types 1 2 or 5 .?

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
cdurkin_FTNT

I believe these are simply DNS Record Types ..   you can see a list here..

https://en.wikipedia.org/wiki/List_of_DNS_record_types

 

ie: Type 1 is an A record etc ...

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"