From 19abc0e1afcc73210599ea0055ab9995d4cbe8ba Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 8 Sep 2025 10:44:56 +0100 Subject: [PATCH] Add guide for configuring DNS histogram on Network page --- .../configure-dns-histogram.asciidoc | 43 +++++++++++++++++++ docs/getting-started/explore-intro.asciidoc | 1 + .../network-page-overview.asciidoc | 2 +- 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 docs/getting-started/configure-dns-histogram.asciidoc diff --git a/docs/getting-started/configure-dns-histogram.asciidoc b/docs/getting-started/configure-dns-histogram.asciidoc new file mode 100644 index 0000000000..37c4e8019a --- /dev/null +++ b/docs/getting-started/configure-dns-histogram.asciidoc @@ -0,0 +1,43 @@ +[[configure-dns-histogram]] + += Configure the DNS histogram + +The DNS histogram (**Top domains by dns.question.registered_domain**) on the **Network** page helps you visualize domain activity in your environment. If you're using {elastic-defend}, you may need to add the `dns.question.registered_domain` field so that DNS data appears correctly. + +If the DNS histogram is empty, follow these steps to populate the data. + +[discrete] +== Add the `dns.question.name` field + +Add the `dns.question.name` field to the Events table to confirm that DNS data is available. + +. Go to the **Network** page using the navigation menu or the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Select the **Events** tab. +. In the Events table, click **Fields**, then add the `dns.question.name` field. + +[discrete] +== Create a custom ingest pipeline + +Create an ingest pipeline that extracts registered domains (for example, `example.com`) from full DNS query names (for example, `www.example.com`). + +. Go to the **Ingest Pipelines** page using the navigation menu or the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select **Create pipeline → New pipeline**. +. On the **Create pipeline** page, set the pipeline name to `logs-endpoint.events.network@custom`. +. Click **Add a processor**. In the **Add processor** flyout, configure the following: +.. From the **Processor** dropdown, select **Registered domain**. +.. Under **Field**, enter `dns.question.name`. +.. Under **Target field (optional)**, enter `dns.question.registered_domain`. +.. Turn **Ignore missing** on. +.. Under **Condition (optional)**, enter `ctx?.dns?.question?.name != null`. +.. Turn **Ignore failures for this processor** on. +.. Select **Add processor**. +. Select **Create pipeline**. This custom pipeline is automatically picked up by the existing `logs-endpoint.events.network-` pipeline. + +[discrete] +== Add the `dns.question.registered_domain` field + +Add the `dns.question.registered_domain` field to the Events table to verify that the ingest pipeline processes DNS queries correctly. + +. Go back to the Events table on the **Network** page. +. Click **Fields**, then add the `dns.question.registered_domain` field. + +After you configure the DNS histogram, it will show domain activity grouped by registered domain, allowing you to identify the top domains queried in your environment. diff --git a/docs/getting-started/explore-intro.asciidoc b/docs/getting-started/explore-intro.asciidoc index c65bcd8aba..af61177005 100644 --- a/docs/getting-started/explore-intro.asciidoc +++ b/docs/getting-started/explore-intro.asciidoc @@ -7,4 +7,5 @@ The following section includes an overview of the *Hosts*, *Network*, and *Users include::{security-docs-root}/docs/management/hosts/hosts-overview.asciidoc[leveloffset=+1] include::network-page-overview.asciidoc[leveloffset=+1] include::net-map-req.asciidoc[leveloffset=+2] +include::configure-dns-histogram.asciidoc[leveloffset=+2] include::users-page.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/network-page-overview.asciidoc b/docs/getting-started/network-page-overview.asciidoc index bacbe431c7..e6f48eba3e 100644 --- a/docs/getting-started/network-page-overview.asciidoc +++ b/docs/getting-started/network-page-overview.asciidoc @@ -44,7 +44,7 @@ There are also tabs for viewing and investigating specific types of data: * *Events*: All network events. To display alerts received from external monitoring tools, scroll down to the events table and select *Show only external alerts* on the right. * *Flows*: Source and destination IP addresses and countries. -* *DNS*: DNS network queries. +* *DNS*: DNS network queries. To view this data, you may need to <>. * *HTTP*: Received HTTP requests (HTTP requests for applications using {apm-app-ref}/apm-getting-started.html[Elastic APM] are monitored by default). * *TLS*: Handshake details.