Adds the parsing of DNS query responses to the winlogbeat-sysmon.js file

winlogbeat-sysmon-22-parsing

// Add this above extractIP4
var splitIps = function(evt) {
    extractIP4(evt, "winlog.event_data.QueryResults")
}

// Add this above event22
var extractIP4 = function(evt, queryResultField) {
        
    var addresses = [];
    var ips = evt.Get(queryResultField)
    if (ips != null) {
        //evt.Delete(queryResultField)
        ips.split(';').forEach(function(ip){
            var regex = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
            if(regex.test(ip)) {
                ip = ip.replace('::ffff:','')
                addresses.push(ip)
            }
        })
    }
    evt.Put('destination.ips', addresses)
}

// Add this pretty much anywhere
var event22 = new processor.Chain()
    .Add(parseUtcTime)
    .Convert({
        fields: [
            {from: "winlog.event_data.UtcTime", to: "@timestamp"},
            {from: "winlog.event_data.QueryName", to: "destination.domain"}
        ],
        mode: "rename",
        ignore_missing: true,
        fail_on_error: false,
    })
    .Add(splitIps)
    .Add(removeEmptyEventData)
    .Build();
// Add this after Event ID 21
22: event22.Run,