DNS Query Monitoring Metrics
DNS Query Monitoring
uberAgent collects detailed information about DNS queries: the request, all responses, and the process from which the query originated.
Details
- Source type:
uberAgentESA:Process:DnsQuery - Used in dashboards: Process DNS
- Enabled through configuration setting:
DnsMonitoring - Related configuration settings: n/a
- Supported platform: all
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| ProcName | Process name. | String | svchost.exe | |
| ProcGUID | Process GUID. | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
| DnsRequest | DNS query name. | String | www.example.com | |
| DnsResponse | DNS query response. | String | 10.1.3.12 | |
| DnsResponseType | DNS query response type (e.g.: A, AAAA, CNAME). | String | A | |
| DnsEventCount | Number of requests in the last interval. | Number | 1 | |
| DnsRisk52Chars | Tests whether the DNS host name contains more than 52 chars. | Number | 1 | |
| DnsRisk27UniqueChars | Tests whether the DNS host name contains more than 27 unique chars. | Number | 1 | |
| DnsRiskEmptyResponse | Tests whether the response is either not available or empty (e.g., SOA). | Number | 1 | |
| DnsRiskTXTRecord | Tests for the uncommon response type TXT. | Number | 1 | |
| DnsRiskHighEntropy | Tests the DNS request for high entropy based on Shannon entropy. | Number | 1 | |
| DnsResponseStatus | Dns response status. Empty if the query was successful. Any other value indicates an error. | Number | 9501 |
The fields DnsRequest, DnsResponse, and DnsResponseType may contain multiple values, separated by a semicolon ;.
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| TimestampMs | _time * 1000. |
Number | ms | 1585913547467 | Splunk data model |