Configure DNS Logs Ingestion
Prisma Cloud ingests the DNS logs from Amazon Kinesis Data Firehose and leverages those DNS query logs for DNS threat detection use cases, such as randomly generated domains (DGAs) and cryptomining. Prisma Cloud fetches the DNS query logs for an account that is streamed in Amazon Kinesis Data Firehose Stream in a logging account on AWS.
DNS log ingestion is not supported on Prisma Cloud stacks in AWS China and Gov Cloud.
- Onboard your AWS account.
- Ingest DNS logs from Amazon Kinesis Data Firehose.
- Login to Prisma Cloud.
- Select .
- Editthe AWS account for which you want to configure the DNS logs.
- SelectKinesis Data Firehosefrom theDNS Logsdropdown.
- Configure.
- Add DNS Configuration.
- Enter aNamefor your DNS Configuration and clickGenerate.A Webhook token is generated. You can choose to specify Domain Filters.
- Next.
- Click here to create stack in your AWS management accountto stream DNS query logs to Prisma Cloud.
- Log in to your AWS account and follow the steps to create a stack, selectI acknowledge that AWS CloudFormation might create IAM resources with custom names., and clickCreate Stack.
- Wait for status to display CREATE_COMPLETE.On successful creation, WebhookUrl, BackupS3BucketARN, and KinesisFirehoseRoleARN parameters are generated.
- CreateRoute-53 query logging configandfirehose pipelineper region by using CloudFormation StackSet .Running a stackset requires the following two roles. See the AWS documentation to grant these self managed permissions:
- After setting up the two roles, in your AWS console select .
- Choose a template for StackSet creation using Amazon S3 URL.
- Enter the StackSet details, these are the parameters you obtained previously in Step 11.
- Set deployment options, such as account and regions for DNS query logging monitoring, and clickNext.
- The account ID should match the one on which the first CFT was executed.
- Since you are using a logging account model for sending logs, make sure to apply both CFTs on the logging account and then share Route-53 query logging configuration with each account where you want to send DNS logs from.
- Sharing DNS Route-53 is ideal when you wnat to enable DNS ingestion for AWS organizations or Multiple accounts.
- Review the configuration andSubmitfor StackSet creation.
- After the AWS configuration changes are complete, return to your Prisma Cloud console, select theI acknowledge…checkbox,Savethe configuration.
- Done.
- On successful configuration, Prisma Cloud starts to ingest DNS logs from Amazon Kinesis Data Firehose.
- Once the stackset deployment is complete, in your AWS console select , clickRoute-53 query logging configcreated by the CFT, and select the VPCs whose DNS query logs you want Prisma Cloud to ingest.Repeat step 20 for every region where stackset is deployed.
