none
Sysmon DNS Logging - Feature Request - Add User Name RRS feed

  • Question

  • Greetings!

    I really appreciate the DNS Logging capability in SysMon but would like to see if others would like to see the feature I mention below as well.

    1. The username is not tied to the process that invoked the DNS question. It would be great to have this. Process Create has this information but I think it would be just as beneficial for the DNS Query functionality to have it as well.

    Thanks for great tool!

    Nic

    Friday, January 3, 2020 11:09 PM

All replies

  • Well, as you already noticed, Process Create has the username, DNS Query has the PID, it is just a matter of relate the two information..
    It would be to much overhead find the information in realtime and log it twice, while you can find it easily enough when later examining the data. 

    IMHO
    -mario

    Saturday, January 4, 2020 7:15 PM
  • Mario is quite correct. We generate the ProcessGUID for ProcessCreate and include this as a correlation ID for other event types. We receive lots of requests such as this and Mark R. will generally push back on these unless there is a reason why we cannot correlate the events (one example of the latter that we are planning to address is process image hashes which we can only correlate when imageload events are enabled).

    MarkC (MSFT)

    Tuesday, January 14, 2020 11:25 AM