@rw-access Do you have plans to add DNS events to eqllib and the mapping for sysmon DNS?
hey @buddytex thanks for the reminder.
definitely, yes. and original_file_name for process events
can you open an issue on https://github.com/endgameinc/eql/issues/new/choose? we can track there and get the conversation going to pick what makes sense for the fields. I'm thinking of skipping the usual subtype since a lot of solutions like sysmon merge the request with the response