DNS

The dns log type stores DNS activity.

The following code snippet contains all the raw_field, ecs, and ocsf mappings for this log type:

  1.  "mappings": [
  2.     {
  3.       "raw_field":"record_type",
  4.       "ecs":"dns.answers.type",
  5.       "ocsf": "unmapped.record_type"
  6.     },
  7.     {
  8.       "raw_field":"answers[].Type",
  9.       "ecs":"aws.route53.answers.Type",
  10.       "ocsf": "answers[].type"
  11.     },
  12.     {
  13.       "raw_field":"answers[].Rdata",
  14.       "ecs":"aws.route53.answers.Rdata",
  15.       "ocsf": "answers[].rdata"
  16.     },
  17.     {
  18.       "raw_field":"answers[].Class",
  19.       "ecs":"aws.route53.answers.Class",
  20.       "ocsf": "answers[].class"
  21.     },
  22.     {
  23.       "raw_field":"query",
  24.       "ecs":"dns.question.name",
  25.       "ocsf": "unmapped.query"
  26.     },
  27.     {
  28.       "raw_field":"query_name",
  29.       "ecs":"aws.route53.query_name",
  30.       "ocsf": "query.hostname"
  31.     },
  32.     {
  33.       "raw_field":"parent_domain",
  34.       "ecs":"dns.question.registered_domain",
  35.       "ocsf": "unmapped.parent_domain"
  36.     },
  37.     {
  38.       "raw_field":"version",
  39.       "ecs":"aws.route53.version",
  40.       "ocsf": "metadata.product.version"
  41.     },
  42.     {
  43.       "raw_field":"account_id",
  44.       "ecs":"aws.route53.account_id",
  45.       "ocsf": "cloud.account_uid"
  46.     },
  47.     {
  48.       "raw_field":"region",
  49.       "ecs":"aws.route53.region",
  50.       "ocsf": "cloud.region"
  51.     },
  52.     {
  53.       "raw_field":"vpc_id",
  54.       "ecs":"aws.route53.vpc_id",
  55.       "ocsf": "src_endpoint.vpc_uid"
  56.     },
  57.     {
  58.       "raw_field":"query_timestamp",
  59.       "ecs":"aws.route53.query_timestamp",
  60.       "ocsf": "time"
  61.     },
  62.     {
  63.       "raw_field":"query_class",
  64.       "ecs":"aws.route53.query_class",
  65.       "ocsf": "query.class"
  66.     },
  67.     {
  68.       "raw_field":"query_type",
  69.       "ecs":"aws.route53.query_type",
  70.       "ocsf": "query.type"
  71.     },
  72.     {
  73.       "raw_field":"srcaddr",
  74.       "ecs":"aws.route53.srcaddr",
  75.       "ocsf": "src_endpoint.ip"
  76.     },
  77.     {
  78.       "raw_field":"srcport",
  79.       "ecs":"aws.route53.srcport",
  80.       "ocsf": "src_endpoint.port"
  81.     },
  82.     {
  83.       "raw_field":"transport",
  84.       "ecs":"aws.route53.transport",
  85.       "ocsf": "connection_info.protocol_name"
  86.     },
  87.     {
  88.       "raw_field":"srcids.instance",
  89.       "ecs":"aws.route53.srcids.instance",
  90.       "ocsf": "src_endpoint.instance_uid"
  91.     },
  92.     {
  93.       "raw_field":"srcids.resolver_endpoint",
  94.       "ecs":"aws.route53.srcids.resolver_endpoint",
  95.       "ocsf": "dst_endpoint.instance_uid"
  96.     },
  97.     {
  98.       "raw_field":"srcids.resolver_network_interface",
  99.       "ecs":"aws.route53.srcids.resolver_network_interface",
  100.       "ocsf": "dst_endpoint.interface_uid"
  101.     },
  102.     {
  103.       "raw_field":"firewall_rule_action",
  104.       "ecs":"aws.route53.srcids.firewall_rule_action",
  105.       "ocsf": "disposition_id"
  106.     },
  107.     {
  108.       "raw_field":"creationTime",
  109.       "ecs":"timestamp",
  110.       "ocsf": "unmapped.creationTime"
  111.     }
  112.   ]