SIEM & UEBA

FortiSIEM - Tuning DNS built-in rules using the Networks: Approved Public DNS Folder

  • 1.  FortiSIEM - Tuning DNS built-in rules using the Networks: Approved Public DNS Folder

    Posted Jul 26, 2021 03:13 PM

    Tuning for the following Built in system rules

    (s) End User DNS Queries to Unauthorized DNS Servers
    (s) Outbound Traffic to Unapproved Public DNS Servers

    The FortiSIEM has many built in rules to start detecting and alerting on events of interest.
    Unfortunately some times we do not check these rules for organizational alignment or truly understand the rule logic.
    We deconstructed the above rules and noticed the following common conditional attribute

    AND Destination IP NOT IN Networks: Approved Public DNS

    This condition would allow any DNS server IP defined in the folder Networks/Approved Public DNS to be "whitelisted",
    So as per an organizational policy of allowed DNS servers, one could update this folder and tune for what to trigger on outside of what is allowed by that organization.

    The problem arises after FortiSIEM 5.4 when this folder gets automatically updated with publicly available DNS servers.
    In version 6.1.1 for example the list is over 1400 DNS servers. In perspective, Before 5.4 there were only around 7 entries in this folder.
    This would in reality not trigger the above rules if any device was using DNS servers from say outside the organization or country.
    The allowed list for DNS servers is usually small and triggering on DNS traffic outside of these is a great way to detect potential malicious behavior.


    The suggested Fix,
    Delete this entry in each above rule for starters. This will allow the rules to trigger on DNS servers outside of the
    ones defined under Applications/DNS which is defined as the following condition included on those rules

    AND Source IP NOT IN Applications: DNS

    If you do have other authorized DNS servers besides ones internal to organization and beyond what are under Applications/DNS ,
    Then you should use a watchlist and define those there. you can do this by adding a conditional attribute to those rules similar to the sample below;

    AND Destination IP NOT IN DyWatchLists: Approved DNS servers

    in this way an alert will trigger when DNS traffic is seen outside what has been defined as "normal" operational baselines, This will help greatly reduce the false positives.


    hope this helps. Please let me know your feedback.