elastic · natasha-moore-elastic · Sep 4, 2025 · Aug 29, 2025 · Aug 29, 2025 · Sep 3, 2025
@@ -0,0 +1,47 @@
+---
+applies_to:
+  stack: ga
+  serverless:
+    security: ga
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Configure the DNS histogram
+
+The DNS histogram (**Top domains by dns.question.registered_domain**) on the **Network** page helps you visualize domain activity in your environment. Depending on your {{kib}} setup—for example, if you're using {{elastic-defend}}—you may need to add the `dns.question.registered_domain` field so that DNS data appears correctly.
+
+If the DNS histogram is empty, follow these steps to populate the data.
+
+## Add the `dns.question.name` field
+
+Add the `dns.question.name` field to the Events table to confirm that DNS data is available.
+
+1. On the **Network** page, select the **Events** tab.
+2. In the Events table, click **Fields**, then add the `dns.question.name` field.
+
+## Create a custom ingest pipeline
+
+Create an ingest pipeline that extracts registered domains (for example, `example.com`) from full DNS query names (for example, `www.example.com`).
+
+1. Go to the **Ingest Pipelines** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create pipeline → New pipeline**.
+2. On the **Create pipeline** page, set the pipeline name to `logs-endpoint.events.network@custom`.
+3. Click **Add a processor**. In the **Add processor** flyout, configure the following:
+   1. From the **Processor** dropdown, select **Registered domain**.
+   2. Under **Field**, enter `dns.question.name`.
+   3. Under **Target field (optional)**, enter `dns.question.registered_domain`.
+   4. Toggle **Ignore missing**.
+   5. Under **Condition (optional)**, enter `ctx?.dns?.question?.name != null`.
+   6. Toggle **Ignore failures for this processor**.
+   7. Select **Add processor**.
+4. Select **Create pipeline**. This custom pipeline is automatically picked up by the existing `logs-endpoint.events.network-<version>` pipeline.
+
+## Add the `dns.question.registered_domain` field
+
+Add the `dns.question.registered_domain` field to the Events table to verify that the ingest pipeline processes DNS queries correctly.
+
+1. Go back to the Events table on the **Network** page.
+2. Click **Fields**, then add the `dns.question.registered_domain` field.
+
+After you configure the DNS histogram, it will show domain activity grouped by registered domain, allowing you to identify the top domains queried in your environment.
@@ -59,7 +59,7 @@ There are also tabs for viewing and investigating specific types of data:
 
 * **Events**: All network events. To display alerts received from external monitoring tools, scroll down to the events table and select **Show only external alerts** on the right.
 * **Flows**: Source and destination IP addresses and countries.
-* **DNS**: DNS network queries.
+* **DNS**: DNS network queries. To view this data, you may need to [](/solutions/security/explore/configure-dns-histogram.md).
 * **HTTP**: Received HTTP requests (HTTP requests for applications using [Elastic APM](/solutions/observability/apm/index.md) are monitored by default).
 * **TLS**: Handshake details.
 * **Anomalies**: Anomalies discovered by [machine learning jobs](/solutions/security/advanced-entity-analytics/anomaly-detection.md).

@@ -676,6 +676,7 @@ toc:
           - file: security/explore/network-page.md
             children:
               - file: security/explore/configure-network-map-data.md
+              - file: security/explore/configure-dns-histogram.md
           - file: security/explore/users-page.md
       - file: security/advanced-entity-analytics.md
         children: