DNS Enricher¶

DNS Enricher enriches event with information loaded from DNS server(s), such as hostnames.

Example¶

Declaration¶

  ---
  define:
    name: DNSEnricher
    type: enricher/dns
    dns_server: 8.8.8.8,5.5.4.8  # optional

  attributes:

    device.ip:
      hostname: host.hostname

    source.ip:
      hostname:
        - host.hostname
        - source.hostname

Input¶

{
    "source.ip": "142.251.37.110",
}

Output¶

{
    "source.ip": "142.251.37.110", 
    "host.hostname": "prg03s13-in-f14.1e100.net",
    "source.hostname": "prg03s13-in-f14.1e100.net"
}

Section `define`¶

This section defines the name and the type of the enricher, which in the case of DNS Enricher is always enricher/dns.

Item `name`¶

Shorter human-readable name of this declaration.

Item `type`¶

The type of this declaration, must be enricher/dns.

Item `dns_server`¶

The list of DNS servers to ask for information, separated by comma ,.

Section `attributes`¶

Specify dictionary with attribues to load the IP address or other DNS-lookup information from.

Each attribute should be followed by another dictionary with the list of keys to extract from the DNS server.

Then the value of every key is either string with the name of the event attribute to store the looked up value in, or a list, if the value should be inserted into more than one event attribute.

DNS Enricher¶

Example¶

Declaration¶

Input¶

Output¶

Section define¶

Item name¶

Item type¶

Item dns_server¶

Section attributes¶

Section `define`¶

Item `name`¶

Item `type`¶

Item `dns_server`¶

Section `attributes`¶