Client IP addresses vary, so they are not suitable for retroactive verification. They should be enriched with constant knowledge about computers and users. To address this shortcoming, the DNS log in the SIEM product can be enriched with the triple correlation rules of the DHCP and AD security protocols. However, it is not easy to collect logs from these scattered sources and correlate them. Moreover, importing all these logs directly into the SIEM product increases the number of EPS and the number of correlations. This has a negative impact on the cost of the product license.
DNSEye allows you to collect logs from many different brands and models of DNS servers, such as Microsoft DNS, Infoblox, BIND, Bluecat, EfficientIP, F5, Citrix, without having to change your network topology. The DNS Visibility Host Discovery feature detects the real device and user corresponding to the IP address. Reading the DHCP log finds out which machine is currently using the IP address. Active Directory, by reading the security log, detects the IP address of the user whois logged in. The log enriched with these features is made meaningful and forwarded to the SOC teams. DNSSense performs this correlation automatically. It is enough to introduce these log sources into the system.