Event 22 DNS Query issue - not generating event from browsers about sysmon-config HOT 12 OPEN

Your browser has a proxy most likely, so the proxy resolved the dns instead

from sysmon-config.

Hello @taherkaraki ,

Thank you for your feedback. Its not this. I don`t have any proxy set. I forgot to mention that all of the machines which I have tested on are newly installed (fresh Windows).

Must be something else but I didn`t yet figure it out what it is.

from sysmon-config.

Run wireshark and see if you have any dns traffic

from sysmon-config.

@taherkaraki - I tested it with wireshark. ran capture, accessed websites, including below apple.com, and it shows the DNS traffic:

but on the sysmon operational event viewer logs - no sign of them

from sysmon-config.

Are you sure your sysmon config does not exclude the browser?

from sysmon-config.

Are you sure your sysmon config does not exclude the browser?

@taherkaraki i'm using the swifton config. I changed nothing in it.

from sysmon-config.

Comment From config:

	<!--OPERATIONS:	Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
					Search for Group Policy for these browsers to configure this.-->

from sysmon-config.

@taherkaraki - disabled the DNS lookup setting in edge (Use secure DNS to specify how to lookup the network address for websites) and still no sign in Sysmon operational of the DNS records from websites I`m accessing.

from sysmon-config.

later update: it turns out that from firefox I receive every DNS query in Event Viewer. the problem seems to be in edge and chrome. did checked the proxy settings, DNS lookup - nothing which can solve this

from sysmon-config.

Same issue, Is there a solution?

from sysmon-config.