Guide

Send Edge DNS data to your SIEM solution

Suggest Edits

In Infrastructure Security Analytics, you can configure your Security Information and Event Management (SIEM) solution as a destination for data. This allows you to monitor and respond to significant events in Edge DNS zones. It also lets your organization receive and visualize critical security events on your preferred SIEM platforms.

You can configure and enable Infrastructure Security Analytics to monitor Edge DNS for NXDOMAIN spikes and dangling CNAMEs.

When NXDOMAIN Spike Detection is enabled in Infrastructure Security Analytics, you can

  • Monitor Edge DNS zones for specific spikes in NXDOMAIN responses.
  • Notify yourself or administrators to detected spikes and events.

When Dangling CNAME Detection is enabled in Infrastructure Security Analytics, you can

  • Look for misconfigurations that can lead to security vulnerabilities.
  • Continuously check Edge DNS zones for unusual spikes and misconfigurations.

To learn more about the features and how to enable them, see Set up infrastructure security analytics.

After your SIEM integration is in place, the following workflow occurs for data to reach your SIEM solution:

  1. A detected spike in Edge DNS responses triggers an event.
  2. The event is sent to your SIEM solution (for example, Google SecOps).
  3. Data is available for you to view and analyze in your SIEM dashboard, allowing you to visualize Edge DNS events in your SIEM dashboards.

Benefits

This feature offers the following benefits.

  • Real-time notifications. Notifications of events are displayed on the Infrastructure Security Analytics page of the Control Center and a message is sent to your SIEM. These real-time notifications allow you to promptly identify and respond to ongoing threats, whether or not a SIEM integration is enabled.
  • Dashboard Analysis. With your SIEM solution, you can correlate Edge DNS events with other events and data in your network, providing comprehensive threat analysis.

Setup instructions

For instructions on how to set up your SIEM solution as a destination for Edge DNS data, see the instructions for your specific solution.

SolutionInstructions
Google Security Operations (Google SecOps)Configure Google SecOps as a destination
Microsoft SentinelConfigure Microsoft Sentinel as a destination
ServiceNowConfigure ServiceNow as a destination
SplunkConfigure Splunk as a destination

Updated 20 days ago