Sysmon Event ID 22 - Filter localhost DNS queries

Question

Sysmon Event ID 22 - Filter localhost DNS queries

Ivica Agatunovic 106

Is it possible to somehow exclude / filter out DNS queries so machine doesn't log localhost resolving. In sysmon logs I see majority of DNS events are coming from machine trying to resolve itself (QueryName: "localmachinename"). The following peace of code under the DNS Query Section in sysmon doesn't seems to work:
<DnsQuery onmatch="exclude">
<QueryName condition="is">..localmachine</QueryName>
<QueryName condition="is">localhost</QueryName>

Any ideas how this can be solved?

Thanks,
Ivica

Answer 1

Ivica Agatunovic 106

Thanks, I understand the statements part but here problem is that every host is trying to resolve it's own hostname which is unique for each host so if I use only "localhost", statements are useless in this case. I am trying to find a way to completely disable/exclude sysmon DNSquery logging only in case when host tries to resolve itself.

dstaulcu 351 Reputation points

2021-02-18T14:34:32.74+00:00

I don't think there is a way, in the current version, to include a variable such as hostname in conditions of configuration xml. One way you could achieve the result is to dynamically compose your configuration xml file via script at the host and merge it having a hard coded host name or IP among exclude rules.

Is there any combination of QueryName, QueryStatus, QueryResults, or Image values which are unique about the logs you are trying to suppress? Perhaps instead of a host based strategy some combination of those in a compound rule could do the trick.

When I first enabled network connection logging in our environment our DNS servers were overwhelmed with name resolution requests triggered by connections associated with tools making use of peer to peer content distribution. I submitted a feature request for the option to disable name resolution for network connections. Maybe the DnsQuery=False configuration option can get you by as a workaround.
Ivica Agatunovic 106 Reputation points

2021-02-19T09:16:22.6+00:00

I managed to include variable in xml config file template using our config management tool so each host has included rule which applies local hostname exclusion only:
<QueryName condition="is">$hostname</QueryName>

Thanks for the hints!

Answer 2

With current version of Sysmon, the following filter statements are supported:

is (default)
is not
contains
contains any
is any
contains all
excludes
excludes any
excludes all
begin with
end with
less than
more than
image

Try incorporating use of "end with" or "contains" instead of "is"

Sysmon Event ID 22 - Filter localhost DNS queries

1 additional answer

Activity