This article explains how to ingest your on-premise Windows DNS Debug Logs to Hunters. These logs hold information on DNS queries (including the queried domain), from Windows Servers in which this role is enabled. Such information is important for Enterprise security coverage and can help in revealing malicious communication.

For more information about the logs' collection and schema, see here here or here.

Hunters Ingestion

For Hunters to integrate with your on-prem Windows DNS Debug Logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

In each log file, the events should be separated by a new-line, where each event has a standard format as in the following example:

4/20/2021 20:04:21 PM 09B0 PACKET  00000000014E0010 UDP Snd        3122 R Q [8081   DR  NOERROR] A      (7)hunters(2)ai(0)