Configure DNS Logs Ingestion

Prisma Cloud ingests the DNS logs from Amazon Kinesis Data Firehose and leverages those DNS query logs for DNS threat detection use cases, such as randomly generated domains (DGAs) and cryptomining. Prisma Cloud fetches the DNS query logs for an account that is streamed in Amazon Kinesis Data Firehose Stream in a logging account on AWS.
DNS log ingestion is not supported on Prisma Cloud stacks in AWS China and Gov Cloud.
  1. Onboard your AWS account.
  2. Ingest DNS logs from Amazon Kinesis Data Firehose.
    1. Login to Prisma Cloud.
    2. Select
      Cloud Accounts
    3. Edit
      the AWS account for which you want to configure the DNS logs.
    4. Select
      Kinesis Data Firehose
      from the
      DNS Logs
    5. Configure
    6. Add DNS Configuration
    7. Enter a
      for your DNS Configuration and click
      A Webhook token is generated. You can choose to specify Domain Filters.
    8. Next
    9. Click here to create stack in your AWS management account
      to stream DNS query logs to Prisma Cloud.
    10. Log in to your AWS account and follow the steps to create a stack, select
      I acknowledge that AWS CloudFormation might create IAM resources with custom names.
      , and click
      Create Stack
    11. Wait for status to display CREATE_COMPLETE.
      On successful creation, WebhookUrl, BackupS3BucketARN, and KinesisFirehoseRoleARN parameters are generated.
    12. Create
      Route-53 query logging config
      firehose pipeline
      per region by using CloudFormation StackSet .
      Running a stackset requires the following two roles. See the AWS documentation to grant these self managed permissions:
    13. After setting up the two roles, in your AWS console select
      CloudFormation template
      Create StackSet
    14. Choose a template for StackSet creation using Amazon S3 URL.
    15. Enter the StackSet details, these are the parameters you obtained previously in Step 11.
    16. Set deployment options, such as account and regions for DNS query logging monitoring, and click
      • The account ID should match the one on which the first CFT was executed.
      • Since you are using a logging account model for sending logs, make sure to apply both CFTs on the logging account and then share Route-53 query logging configuration with each account where you want to send DNS logs from.
      • Sharing DNS Route-53 is ideal when you wnat to enable DNS ingestion for AWS organizations or Multiple accounts.
    17. Review the configuration and
      for StackSet creation.
    18. After the AWS configuration changes are complete, return to your Prisma Cloud console, select the
      I acknowledge…​
      the configuration.
    19. Done
    20. On successful configuration, Prisma Cloud starts to ingest DNS logs from Amazon Kinesis Data Firehose.
    21. Once the stackset deployment is complete, in your AWS console select
      Route 53
      Query Logging
      , click
      Route-53 query logging config
      created by the CFT, and select the VPCs whose DNS query logs you want Prisma Cloud to ingest.
      Repeat step 20 for every region where stackset is deployed.

Recommended For You