More DNS records monitored
29 May 2022
This week the new DNS module has gone live. From now on, we also track SOA, SRV, CAA and CNAME records. You can easily see the results on the domain page or find them with this query:
index=dns
We already monitored your TXT records, but now there is better support for DMARC and DKIM records. Besides the recordtype (rrtype) there now is a rrsubtype for SPF, DMARC and DKIM. So, this query will show all your SPF records:
index=dns rrsubtype=DMARC
The DNS records are all parsed and all fields are stored separately. That means you can query them. Here are some examples:
index=dns rrtype=SOA refresh=14400
index=dns rrtype=SOA | table url serial expire refresh retry
index=dns rrsubtype=DKIM k=rsa
index=dns rrsubtype=DMARC pct=100
Of course all new fields are available in the API too. For more information on which fields are available see the
datamodel in the documentation.
New fields in Certificates
16 April 2022
There are mutliple new fields available in certificates, and you can use them in queries and reports. The
renewed and
partially_renewed fields allow you to make a custom report that lists all certificates that are about to expire. The result shows if they have been renewed in time or not:
index=certificates not_after<+3w last_seen>-1m | table cn,
ip, grade, renewed, partially_renewed, issuer
The cn_without_sni field is handy to get more information on shared hosters:
index=certificates cn != cn_without_sni | table cn,
cn_without_sni, ip, issuer
The subject and issuersubject fields give the exact string that is in the certificate, complete with CN, O , OU and other values used. As an extra, these are also parsed out and made available seperately. Please note that older certificates (before April 2022) do not have these fields populated. You can use these fields to group by subject countries:
index=certificates by C
Or issuer countries:
index=certificates by issuer_C
Please see
Certificate Index in the docs for more details.
New query keyword: IN
03 April 2022
Query based reports are here, and query based alerts are underway. To fully use this, queries should be easy. That is why you can now use
IN () and
NOT IN () as keyword.
Say you want a report of all websites that do not return a 201, 403 or 404 HTTP code. The old way (which still works) would be:
index=websites https_status!=201 AND https_status!=403
AND https_status!=404
The more values you want to select or exclude, the longer the query becomes. With the new keyword this query can be rewritten as:
index=websites https_status NOT IN(201, 403, 404)
Much better right?
