Guide
TrainingSupportCommunity

Send Edge DNS data to your SIEM solution

Suggest Edits

This page describes how to integrate your Security Information and Event Management (SIEM) solution with Edge DNS security analytics.

The SIEM feature in the Security Analytics module enhances the ability to monitor and respond to significant events in Edge DNS zones. By configuring the SIEM, you can receive and visualize critical security events on your preferred SIEM platforms.

You can configure and enable Security Analytics to monitor Edge DNS for NXDOMAIN spikes and dangling CNAMEs.

  • NXDOMAIN Spike Detection
    • Monitors Edge DNS zones for specific spikes in NXDOMAIN responses.
    • Notifies you or other administrators of detected spikes via events.
  • Dangling CNAME Detection
    • Looks for misconfigurations that can lead to security vulnerabilities.
    • Continuously checks Edge DNS zones for unusual spikes and misconfigurations.

Learn more about the features and how to enable them, see Set up security analytics..

Benefits

  • Notifications of events are displayed on the Security Analytics page of the Control Center and a message is send to your SIEM. These real-time notifications allow you to promptly identify and respond to ongoing threats, whether or not SIEM integration is enabled.
  • With this integration, you can configure real-time notifications that allow you to identify and react to ongoing threats.
  • Dashboard Analysis: You can correlate Edge DNS events with other events and data in your network, providing comprehensive threat analysis.

How does SIEM Integration work?

  • A detected spike in Edge DNS responses triggers an event.
  • The event is sent to your SIEM (e.g., Google SecOps).
  • You can view and analyze the event on your SIEM dashboard.

This integration lets you visualize and analyze Edge DNS events in your current SIEM dashboards.

Supported SIEM Destinations

  • Google SecOps (Google Security Operations)
  • Microsoft Sentinel

Configure a SIEM integration with Google SecOps

This procedure outlines the steps to configure Google SecOps as a SIEM destination. By completing this setup, you establish a centralized location for monitoring and analyzing security data.

Before you begin

Before starting the configuration process, ensure you have the following information. For details on how to obtain this information, refer to the relevant sections in the Google Cloud documentation.

  • Customer ID:

    • The Customer ID is a unique identifier for your configuration in Google Security Operations.
    • To locate your Customer ID, refer to the Google Security Operations documentation.

  • Service Account Credentials:

    • These credentials can be obtained from the Google Cloud Platform (GCP).
    • Follow these steps to obtain the credentials:
      1. Sign in to your Google Cloud account.
      2. Navigate to the IAM (Identity and Access Management) section.
      3. Select Service Accounts.
      4. Create a new service account or select an existing one.
      5. Download the JSON key file for this service account.

For more detailed instructions on where to find the items, you can visit the Google Cloud IAM documentation.

To configure a SIEM integration with Google SecOps:

  1. In Control Center, go to ≡ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. Click Settings in the top right corner.
  4. In the window that appears, select your SIEM destination.
  5. Select types of events to send (e.g., NXDOMAIN Spikes, Dangling CNAMEs).
  6. Enter the credentials and details of your SIEM system: Customer ID and Service Account Credentials.
  7. Save the configuration to start sending events to SIEM.

Configure a SIEM integration with Microsoft Sentinel

This procedure outlines the steps to configure Microsoft Sentinel as a SIEM destination. By completing this setup, you establish a centralized location for monitoring and analyzing security data.

Before you begin

Before starting the configuration, ensure you have the following information ready. The official Microsoft Sentinel documentation provides details on how to locate or create each of these items:

  • Application ID: The unique GUID of your application. You can find this in Azure Active Directory (AAD) under the "App registrations" section.

  • Directory ID: The ID of the Azure directory where your application resides. This can also be found under "App registrations" in AAD.

  • DC Rule ID: The Data Collection Rule ID. This is created and managed in Azure Monitor, which links the rule to Microsoft Sentinel.

  • Application Secret: A secret key used for authenticating the application. This can be generated in the "Certificates & secrets" section of the app registration in AAD.

  • DC Endpoint: The endpoint where data collected by the Data Collection Rules will be sent. This is configurable in Azure Monitor.

  • DC Stream Name: The name of the stream used for storing collected data. You will set this up when creating the Data Collection Rule in Azure Monitor.

To configure a SIEM integration with Microsoft Sentinel:

Once you have collected all the required information, follow these steps to configure Microsoft Sentinel:

  1. In Control Center, go to ≡ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. Click Settings in the top right corner.
  4. In the window that appears, select your SIEM destination.
  5. Select types of events to send (e.g., NXDOMAIN Spikes, Dangling CNAMEs).
  6. Enter the credentials and details of your SIEM system:
    • Enter the Application ID for the integration.
    • Provide the Directory ID of your Azure Active Directory.
    • Add the DC Rule ID, which links the data collection process.
    • Enter the Application Secret for secure authentication.
    • Specify the DC Endpoint where data will be sent.
    • Configure the DC Stream Name for storing collected data.
  7. Save the configuration to start sending events to SIEM.

Updated 10 days ago