Is it feasible to enrich events with say, DNS CAA record details as it flows through stream?
Is it feasible to enrich events with say, DNS CAA record details as it flows through stream?
Answers
-
Are you saying you want to use the DNS lookup function to enrich?
0 -
Or something else?
0 -
Looks like we need to add the CAA resource type to the DNS Lookup function, but you should be able to get the result with the `ANY` type and then use an eval.
0 -
<@U02UFGDA7N1> for your attention ^^
0 -
Yah, CAA and a few recent bits of DNS seem to get skipped a lot
0 -
Maybe make record type a free text field?
0 -
Like the Redis function
0 -
Might be some differences in the functionality behind the scenes, but good idea
0 -
Yeah, I tried to hack the JSON and insert CAA, but it is too strict and doesn't accept the value :slightly_smiling_face:
0 -
would the DNS Lookup function returned information be dependent on host OS?
0 -
I strongly doubt that
0 -
Even Windows usually manages to resolve DNS
0 -
Using the function via Edge that's collecting from a Windows 10 device. But I'm not seeing any CAA information
0 -
Do you have access to the box?
0 -
yah
0 -
I just learned that neither nslookup nor Powershell can handle CAA records oO
0 -
yah, hence my question
0 -
like if javascript is reliant on the host OS or if it's implementing and not relying on host os
0 -
I can't believe this. Found a bug report for PHP from 2018 where someone ran into the same issue. Seems the Windows API just lacks this function. What a mess...
0 -
Gotta love Windows.
0 -
Maybe will see it in Windows 12
0 -
eventually this will shift to a Linux box, maybe I'll just speed that up heh
0 -
Ha, I asked ChatGPT and exactly as expected it lied to me and told me it works with nslookup. That mofo.
0 -
hahaha
0 -
I keep working on teaching lies to ChatGPT
0 -
As if it needs help with making shit up
0 -
I moved it to linux and got 1 or two CAA records enriched on my events, of course the event im using to test gets no dns enrichment heh
0 -
Hey Leif, I captured this in a feature request, the Integ team will be tracking using Cribl-17915
0 -
thanks
0
