Configure DNS Logs

Prisma Cloud ingests the DNS logs from Amazon Kinesis Data Firehose and leverages those DNS query logs for DNS threat detection use cases, such as randomly generated domains (DGAs) and cryptomining. Prisma Cloud fetches the DNS query logs for an account that is streamed in Amazon Kinesis Data Firehose Stream in a logging account on AWS.
DNS log ingestion is not supported on Prisma Cloud stacks in AWS China and Gov Cloud.
  1. After you Onboard Your AWS Account, select
    Cloud Accounts
  2. Click the
    ( ) icon next to the AWS account from which you want to ingest DNS logs Amazon Kinesis Data Firehose.
  3. Click
    Threat Detection
  4. Toggle the
    button to
    DNS Logs
  5. Click
    Configure DNS Logs
  6. Click
    Add DNS Configuration
  7. Enter a
    for your DNS Configuration.
  8. Click
    A Webhook token is generated. You can choose to specify Domain Filters.
  9. Click
  10. Click the
    Click here to create stack in your AWS management account
    link to stream DNS query logs to Prisma Cloud.
    1. Log in to your AWS account and follow the steps to create a stack, select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names
      , and click
      Create Stack
    2. Wait for status to display CREATE_COMPLETE.
      On successful creation, WebhookUrl, BackupS3BucketARN, and KinesisFirehoseRoleARN parameters are generated. Copy and save the values in a text file.
    3. Create
      Route-53 query logging config
      firehose pipeline
      per region by using CloudFormation StackSet .
      Running a stackset requires the following two roles. See the AWS documentation to grant these self managed permissions:
    4. After setting up the two roles, in your AWS console select
      CloudFormation template
      Create StackSet
    5. Choose a template for StackSet creation using Amazon S3 URL.
    6. Enter the StackSet details, these are the parameters you obtained previously in Step 10.b above.
    7. Set deployment options, such as account and regions for DNS query logging monitoring, and click
      • The account ID should match the one on which the first CFT was executed.
      • Since you are using a logging account model for sending logs, make sure to apply both CFTs on the logging account and then share Route-53 query logging configuration with each account where you want to send DNS logs from.
      • Sharing DNS Route-53 is ideal when you wnat to enable DNS ingestion for AWS organizations or Multiple accounts.
    8. Review the configuration.
    9. Click
      for StackSet creation.
  11. After the AWS configuration changes are complete, return to your Prisma Cloud console.
  12. Select the
    I acknowledge…​
    checkbox and click
  13. Click
    On successful configuration, Prisma Cloud starts to ingest DNS logs from Amazon Kinesis Data Firehose.
  14. Once the stackset deployment is complete, in your AWS console select
    Route 53
    Query Logging
    , click
    Route-53 query logging config
    created by the CFT, and select the VPCs whose DNS query logs you want Prisma Cloud to ingest.
    Repeat step 14 for every region where the stackset is deployed.

Recommended For You