How to get/send DNS logs to on-prem SIEM -- DNS Proxy + DNS Security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to get/send DNS logs to on-prem SIEM -- DNS Proxy + DNS Security

L1 Bithead

Hello Community!

Wondering if anyone has this scenario / has experience with retrieving DNS security logs...

 

Remote Site Firewall setup:

- DNS Proxy Enabled (Rules direct internal domains to internal DNS servers across SDWAN, all other DNS request go out local internet to 8.8.8.8)

-Firewalls have DNS Security Subscription

 

Problem: We previously used internal DNS servers for all traffic (due to backhauling internet to the datacenters) and forwarded all DNS server logs to our on-prem SIEM. Now with DNS Proxy + External DNS servers we no longer get the detailed DNS logs we used to.

 

Partial Solution: We have DNS Security subscriptions on these remote firewalls, it seems that this logs all DNS queries in Palo's cloud, and I can see them in Autofocus... However, we are stumped on how to get these logs made available to pull down / be sent to our on-prem SIEM so we can use the data for event correlation amongst many other log sources

 

I have been working with our account team to find a solution, but I wanted to float it out here in case anyone has found a solution or has alternate suggestions.

2 REPLIES 2

Cyber Elite
Cyber Elite

@jgardner150,

You can setup log forwarding from CDL and setup filtering if required so that it isn't sending all logs unless you need it. 

 

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-start...

@BPry Thanks for the info.

I did a little research and see they added DNS Security logs as source for CDL about a year back: https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-release-notes/cortex-data... .

 

I'm guessing I'll need to buy a little bit of storage (I currently don't use CDL) to be able to use this option for forwarding the logs I'm looking for. Not ideal, but at least it sounds like it might get the job done. 

  • 2360 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!