Configure DNS Logs
Prisma Cloud ingests the DNS logs from Amazon Kinesis Data Firehose and leverages those DNS query logs for DNS threat detection use cases, such as randomly generated domains (DGAs) and cryptomining. Prisma Cloud fetches the DNS query logs for an account that is streamed in Amazon Kinesis Data Firehose Stream in a logging account on AWS.
DNS log ingestion is not supported on Prisma Cloud stacks in AWS China and Gov Cloud.
- After you Onboard Your AWS Account, select .
- Click theView(
) icon next to the AWS account from which you want to ingest DNS logs Amazon Kinesis Data Firehose. - ClickThreat Detection.
- Toggle theDisabledbutton toEnabledforDNS Logs.
- ClickConfigure DNS Logs.
- ClickAdd DNS Configuration.
- Enter aNamefor your DNS Configuration.
- ClickGenerate.A Webhook token is generated. You can choose to specify Domain Filters.
- ClickNext.
- Click theClick here to create stack in your AWS management accountlink to stream DNS query logs to Prisma Cloud.
- Log in to your AWS account and follow the steps to create a stack, selectI acknowledge that AWS CloudFormation might create IAM resources with custom names, and clickCreate Stack.
- Wait for status to display CREATE_COMPLETE.On successful creation, WebhookUrl, BackupS3BucketARN, and KinesisFirehoseRoleARN parameters are generated. Copy and save the values in a text file.
- CreateRoute-53 query logging configandfirehose pipelineper region by using CloudFormation StackSet .Running a stackset requires the following two roles. See the AWS documentation to grant these self managed permissions:
- After setting up the two roles, in your AWS console select .
- Choose a template for StackSet creation using Amazon S3 URL.
- Enter the StackSet details, these are the parameters you obtained previously in Step 10.b above.
- Set deployment options, such as account and regions for DNS query logging monitoring, and clickNext.
- The account ID should match the one on which the first CFT was executed.
- Since you are using a logging account model for sending logs, make sure to apply both CFTs on the logging account and then share Route-53 query logging configuration with each account where you want to send DNS logs from.
- Sharing DNS Route-53 is ideal when you wnat to enable DNS ingestion for AWS organizations or Multiple accounts.
- Review the configuration.
- ClickSubmitfor StackSet creation.
- After the AWS configuration changes are complete, return to your Prisma Cloud console.
- Select theI acknowledge…checkbox and clickSave.
- ClickDone.On successful configuration, Prisma Cloud starts to ingest DNS logs from Amazon Kinesis Data Firehose.
- Once the stackset deployment is complete, in your AWS console select , clickRoute-53 query logging configcreated by the CFT, and select the VPCs whose DNS query logs you want Prisma Cloud to ingest.Repeat step 14 for every region where the stackset is deployed.
