The ES correlation search 'DNS Query Requests Resolved by Unauthorized DNS Servers' determines if the traffic is to from and authorized name server by using the criteria:
DNS.dest_category != dns_server AND
DNS.src_category != dns_server
from the 'Network Resolution (DNS) > DNS' Data model.
In our environment the DNS Data Model is populated from events from Microsoft AD: Sourcetype MSAD:NT6:DNS however, dest_category and src_category are not populated by this app.
Anyone know the appropriate way to inform ES of the authorized name servers?
