Skip to main content
Version: v2.4.5

Export DNS request data to SIEM

This guide lists steps to configure SIEM integration to export DNS request logs to an SIEM of choice. The integration works by exporting a CSV version of the DNS requests to an organization owned S3 bucket at regular intervals. This CSV can be ingested on the SIEM with a simple set-up process. Refer to Splunk Integration for a sample integration.

Steps to configure

  • Navigate to Settings > Integration > SIEM integration
  • For first time configuration, click on CONFIGURE
  • Fill in required details to allow DNS Firewall to write exported DNS requests CSV file to an AWS S3 bucket
  • Select frequency and related details about the CSV export and save configuration
  • Once configured, CSV export will start in a few minutes and you can monitor the status of the integration including the last time when the CSV was exported

SIEM Integration

Log path and file name format

The csv files will be stored in the path specified while configuring the SIEM integration. File name format is yyyy-mm-dd-hh-mm-ss.csv.

File Size

Size depends on domain size and number of events per day. Assuming each log line is 220 bytes, a million requests will add up to ~220 MB.

Key fields (in order)

Version - Lists the version of the CSV export used.
Date and Time (UTC) — Timestamp of when the request was made. This is in UTC and different from what you see on the web application which considers the local timezone.
Domain - The domain that was requested.
Domain Resolution IP - IP address of the domain at the time of resolution.
Network Name - Name of the network (if applicable) from where the request originated. This applies for network based deployment.
Device Name - Name of the roaming client. This applies for roaming client deployment.
Device OS - OS of the roaming client.
External IP - IP address of the device or roaming client making the request.
Protocol - Underlying protocol used for the DNS request such as UDP or HTTPS.
Categories - Content category for the domain request. There could be up to 5 categories for a domain separated by commas.
Rejection Type - For a rejected dmain, rejection type specifes the reason for rejection such as malicious.
Rejection Category - For a rejected domain, rejection category lists the exact category such as phishing, ransomware and so on.
Blocking Mode - Specifies if the network or roaming client was in blocking mode or not when the request was made. If blocking mode was turned off, even though there may have been a rejection category, the request will be resolved for the user. Query Type — The type of DNS request that was made. Common DNS request types are A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT, SIG.
Response Code — The DNS return code for this request. Response Codes can have one of these values "NOERROR", "FORMERR", "SERVFAIL", "NXDOMAIN", "NOTIMP", "REFUSED".

Sample DNS Request

Version Date and Time (UTC) Domain Domain Resolution IP Network Name Device Name Device OS External IP Protocol Categories Rejection Type Rejection Category Blocking Mode Query Type DNS Response Code
2.0.0 2022-01-01T10:45:10Z google.com 2001:db8::1 network_name 127.0.0.1 UDP News Portal & Search off A NOERROR

Export versions

V1: Contains DNS Traffic logs.
V2: (Download Version 2 Sample) Additional fields have been added to enrich DNS request data such as Domain Resolution IP, Network Name, Device Name and Device OS. Device ID field has been removed in this version and replaced with Device Name field.

Deleting configuration

If there is need to stop exporting DNS requests to S3 bucket, there is an option to DELETE CONFIGURATION. This option will delete the existing integration and stop pushing CSV files to S3 bucket. If you need to start exporting again, the set-up needs to be done again.