PassiveDNS¶
About¶
Passive DNS data provides information for IT security teams, research teams and brand protection specialists. Research analysts gain insight as to how a particular domain name changes over time and how it is related to other domains and/or IP addresses. This data enables the building of a picture of potential threats across global networks that simply cannot be identified from monitoring your own network.
Product Details¶
Product Type: DNS
Product Tier: Tier I
Integration Method: Syslog
Parser Details¶
Log Format: Syslog / JSON
Expected Normalization Rate: near 100%
Data Label: PASSIVE_DNS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| hostname | intermediary.hostname |
| Passive DNS | metadata.product_name |
| NETWORK_DNS | metadata.event_type |
| DNS | network.application_protocol |
| query | network.dns.questions.name |
| type | network.dns.questions.type |
| qclass | network.dns.questions.class |
| answer | network.dns.answers.data |
| ttl | network.dns.answers.ttl |
| client | principal.ip |
| server | target.ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all event types | NETWORK_DNS |
Log Sample¶
Mar 6 18:30:30 servername pdns_alert 1646609430.251672||10.1.3.6||10.2.3.4||IN||subdomain.domain.com.||A||10.1.1.1||20||1|smb_time=1646610306987|smb_uid=/ari8QV8Rredactedandrandom164661030698738687
Sample Parsing¶
metadata.event_type: NETWORK_DNS
metadata.product_name: "Passive DNS"
principal.ip: "10.1.3.6"
target.ip: "10.2.3.4"
intermediary.hostname: "servername"
network.application_protocol: DNS
network.dns.questions.name: "subdomain.domain.com"
network.dns.questions.type: 1
network.dns.questions.class: 1
network.dns.answers.ttl: 20
network.dns.answers.data: "10.1.1.1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting