Add resolved IP address field to query log
more information needed
Carl Levine
more information needed
This specific feature request was not satiated by the aforementioned release.
Bobby King
This isn't launched! Only the local agent ip and the responding servers up is logged. The resolved ip is nowhere to be found. Steve Staden , did you read the title or description before you marked this as released? What value is the local IP and the server IP? We need to know what the FQDN resolved to so that we can correlate suspicious system activity with the DNS answer your servers provide. Especially in the event that DNS Filter failed to block a malicious domain. If we know the IP we can identify the malicious traffic by the IP then give your threat team both the FQDN that was queried, but also the evidence of which computer was assigned to that FQDN and the evidence that it is malicious.
Contact me via email if you need help understanding the value of this field and it's vital role it plays in incident response.
Carl Levine
Hello Bobby, Steve is no longer with DNSFilter. I see the value in what you're asking for, and I've reopened this feature request as "more information needed". While you've certainly provided a lot of great context that makes a lot of sense, is it all DNS responses you're looking for or just the resolved IPs (A/AAAA)?
Bobby King
Carl Levine others may want to chime in on this one too, but I think just the resolved IP (A/AAA) is all I would need. It would then allow me to correlate the IP traffic in network and host firewall logs to the FQDN that was queried, essentially letting me see the domain of the URL the user clicked. That gives me a forensic tie between the URL and the IP traffic.
George Osborne
There's still no search capability for this, even though the field is there.
Austin Kargl
Especially for the relay server, not needing to rely on the CSV and being able to see the IP address at a glance would be very helpful.
TYLER
This is very important for forensic and breach investigations to match up against firewall logs
karik
TYLER: yeah, not sure how this product can be considered live without it