Configure DNS Logs Ingestion from Amazon

Prisma Cloud ingests the DNS logs from Amazon Kinesis Data Firehose and leverages those DNS query logs for DNS threat detection use cases, such as data exfiltration, DGAs, and cryptomining. Prisma Cloud fetches the DNS query logs for an account that is streamed in Amazon Kinesis Data Firehose Stream in a logging account on AWS.
DNS log ingestion is not supported on Prisma Cloud stacks in AWS China and Gov Cloud.
  1. Onboard your AWS account.
  2. Ingest DNS logs from Amazon Kinesis Data Firehose.
    1. Login to Prisma Cloud.
    2. Select
      Settings
      Cloud Accounts
      .
    3. Edit
      the AWS account for which you want to configure the DNS logs.
    4. Select
      Kinesis Data Firehose
      from the
      DNS Logs
      dropdown.
    5. Configure
      .
    6. Add DNS Configuration
      .
    7. Enter a
      Name
      for your DNS Configuration and click
      Generate
      .
      A Webhook token is generated. You can choose to specify Domain Filters.
    8. Next
      .
    9. Click here to create stack in your AWS management account
      to stream DNS query logs to Prisma Cloud.
    10. Log in to your AWS account and follow the steps to create a stack, select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names.
      , and click
      Create Stack
      .
    11. Wait for status to display CREATE_COMPLETE.
      On successful creation, WebhookUrl, BackupS3BucketARN, and KinesisFirehoseRoleARN parameters are generated.
    12. Create
      Route-53 query logging config
      and
      firehose pipeline
      per region by using CloudFormation StackSet .
      Running a stackset requires the following two roles. See the AWS documentation to grant these self managed permissions:
    13. After setting up the two roles, in your AWS console select
      Settings
      CloudFormation template
      StackSets
      Create StackSet
      .
    14. Choose a template for StackSet creation using Amazon S3 URL.
    15. Enter the StackSet details, these are the parameters you obtained previously in Step 11.
    16. Set deployment options, such as account and regions for DNS query logging monitoring, and click
      Next
      .
      • The account ID should match the one on which the first CFT was executed.
      • Since you are using a logging account model for sending logs, make sure to apply both CFTs on the logging account and then share Route-53 query logging configuration with each account where you want to send DNS logs from.
      • Sharing DNS Route-53 is ideal when you wnat to enable DNS ingestion for AWS organizations or Multiple accounts.
    17. Review the configuration and
      Submit
      for StackSet creation.
    18. After the AWS configuration changes are complete, go back to your Prisma Cloud console, select the
      I acknowledge…​
      checkbox,
      Save
      the configuration, and
      Done
      .
    19. On successful configuration, Prisma Cloud starts to ingest DNS logs from Amazon Kinesis Data Firehose.
    20. Once stackset deployment is complete, in your AWS console select
      Route 53
      Resolver
      Query Logging
      , click
      Route-53 query logging config
      created by the CFT, and select the VPCs whose DNS query logs you want Prisma Cloud to ingest.
      Repeat step 20 for every region where stackset is deployed.

Recommended For You