Guide

Send Edge DNS data to your SIEM solution

Suggest Edits

This page describes how to integrate your Security Information and Event Management (SIEM) solution with Edge DNS security analytics.

The SIEM feature in the Infrastructure Security Analytics module enhances the ability to monitor and respond to significant events in Edge DNS zones. By configuring the SIEM, you can receive and visualize critical security events on your preferred SIEM platforms.

You can configure and enable Infrastructure Security Analytics to monitor Edge DNS for NXDOMAIN spikes and dangling CNAMEs.

  • NXDOMAIN Spike Detection
    • Monitors Edge DNS zones for specific spikes in NXDOMAIN responses.
    • Notifies you or other administrators of detected spikes via events.
  • Dangling CNAME Detection
    • Looks for misconfigurations that can lead to security vulnerabilities.
    • Continuously checks Edge DNS zones for unusual spikes and misconfigurations.

Learn more about the features and how to enable them, see Set up infrastructure security analytics.

Benefits

  • Notifications of events are displayed on the Infrastructure Security Analytics page of the Control Center and a message is send to your SIEM. These real-time notifications allow you to promptly identify and respond to ongoing threats, whether or not SIEM integration is enabled.
  • With this integration, you can configure real-time notifications that allow you to identify and react to ongoing threats.
  • Dashboard Analysis: You can correlate Edge DNS events with other events and data in your network, providing comprehensive threat analysis.

How does SIEM Integration work?

  • A detected spike in Edge DNS responses triggers an event.
  • The event is sent to your SIEM (e.g., Google SecOps).
  • You can view and analyze the event on your SIEM dashboard.

This integration lets you visualize and analyze Edge DNS events in your current SIEM dashboards.

Supported SIEM Destinations

  • Google SecOps (Google Security Operations)
  • Microsoft Sentinel
  • Splunk

Configure a SIEM integration with Google SecOps

This procedure outlines the steps to configure Google SecOps as a SIEM destination. By completing this setup, you establish a centralized location for monitoring and analyzing security data.

Before you begin

Complete these steps:

  1. Set up the Google Security Operations Ingestion API to forward events to Google SecOps. Edge DNS security analytics uses the Ingestion API to send event data to Google SecOps. For more information, see Google Security Operations data ingestion.
  2. Make sure you have the following information:
    • Customer ID. The Customer ID is a unique identifier for your configuration in Google Security Operations. To locate your Customer ID, see the Google Security Operations documentation.
    • Service Account Credentials. You can obtain these credentials from the Google Cloud Platform (GCP). For more detailed instructions, see the Google Cloud IAM documentation. To find these credentials:
      1. Sign in to your Google Cloud account.
      2. Navigate to the IAM (Identity and Access Management) section.
      3. Select Service Accounts.
      4. Create a new service account or select an existing one.
      5. Download the JSON key file for this service account.

To configure a SIEM integration with Google SecOps:

  1. In Control Center, go to ≡ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. Click Settings in the top right corner.
  4. In the window that appears, select your SIEM destination.
  5. Select types of events to send (for example, NXDOMAIN Spikes, Dangling CNAMEs).
  6. Enter the credentials and details of your SIEM system: Customer ID and Service Account Credentials.
  7. Save the configuration to start sending events to the SIEM.

Configure a SIEM integration with Microsoft Sentinel

This procedure outlines the steps to configure Microsoft Sentinel as a SIEM destination. By completing this setup, you establish a centralized location for monitoring and analyzing security data.

Before you begin

Complete these steps:

  1. Set up the Logs Ingestion API in Azure Monitor to send events to Microsoft Sentinel. Edge DNS security analytics uses the Log Ingestion API to send event data to Microsoft Sentinel. For instructions, see Connect with the Log Ingestion API. For step-by-step guidance, you can also see the Send data to Azure Monitor Logs tutorial.
  2. Make sure you have the following information . The official Microsoft Sentinel documentation provides details on how to locate or create each of these items:
    • Application (client) ID. The unique GUID of your application. You can find this in the App registrations section of Azure Entra Admin Center.
    • Primary Domain. The primary domain associated with the tenant / directory. You can find it in the Overview section of Azure Entra Admin Center under .
    • DCR ID. The Data Collection Rule (DCR) ID. This is created and managed in Azure Monitor, which links the rule to Microsoft Sentinel. You can find this in the Data Collection Rule’s JSON view.
    • Client secret. A secret key used for authenticating the application. This can be generated in the Certificates & secrets section of the app registration in Azure Entra Admin Center.
    • Log Ingestion URI. The endpoint where data collected by the Data Collection Rules is sent. This is configurable in Azure Monitor.
    • DCR Stream Name. The name of the stream used for storing collected data. You set this up when creating the Data Collection Rule in Azure Monitor.

To configure a SIEM integration with Microsoft Sentinel:

  1. In Control Center, go to ≡ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. Click Settings in the top right corner.
  4. In the window that appears, select your SIEM destination.
  5. Select types of events to send (for example, NXDOMAIN Spikes, Dangling CNAMEs).
  6. Enter the credentials and details of your SIEM system:
    • Enter the Application ID for the integration.
    • Provide the Primary Domain of your Azure Entra.
    • Add the DCR ID, which links the data collection process.
    • Enter the Client Secret for secure authentication.
    • Specify the Log Ingestion URI where data will be sent.
    • Configure the DCR Stream Name for storing collected data.
  7. Save the configuration to start sending events to SIEM.

Configure a SIEM integration with Splunk

This procedure outlines the steps to configure Splunk as a SIEM destination. By completing this setup, you establish a centralized location for monitoring and analyzing security data.

Before you begin

Complete these steps:

  1. Set up the HTTP Event Collector (HEC) to forward events to Splunk. Edge DNS security analytics uses the HEC service to send event data to Splunk. For instructions, see Set up and use HTTP Event Collector in the Splunk documentation.
  2. Make sure you have the following information. The official Splunk documentation provides details on how to locate or create each of these items.
    • HEC Host. The hostname or endpoint of Splunk HTTP Event Collector (HEC). This is typically provided during the Splunk setup process (for example, splunkhec.com).
    • HEC Port. The port number used for HEC. Typically, this is set to 8088.
    • HEC Token. The authentication token generated in Splunk to allow data ingestion securely.
    • HEC Install Type. The type of Splunk installation you are using (for example, Splunk Cloud Platform).
    • Index. The name of the Splunk index where events will be stored (for example, INDEX_MAIN).
    • Source Name. The identifier for the source of the data (for example, AKAM_ANALYTICS).

To configure a SIEM integration with Splunk:

  1. In Control Center, go to ≡ > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. Click Settings in the top right corner.
  4. In the window that appears, select your SIEM destination.
  5. Select types of events to send (for example, NXDOMAIN Spikes, Dangling CNAMEs).
  6. Enter the credentials and details of your SIEM system:
    • HEC Host: Enter the Splunk HTTP Event Collector hostname (for example, splunkhec.com).
    • HEC Port: Specify the port number for HEC communication (for example, 8088).
    • HEC Token: Input the token generated in Splunk to authenticate the connection. (For security, the token will be hidden after entry.)
    • HEC Install Type: Select the appropriate Splunk installation type (for example, Splunk Cloud Platform).
    • Index: Enter the name of the Splunk index where the events should be stored (for example, INDEX_MAIN).
    • Source Name: Specify the source identifier for the data (for example, AKAM_ANALYTICS).
    • HEC Indexer Acknowledgement: Enable or disable the acknowledgment for event indexing.
  7. Save the configuration to start sending events to SIEM.

Updated about 1 month ago