Collect AWS Route 53 logs
Supported in:
This document explains how to configure AWS CloudTrail to store AWS Route 53 DNS logs in an S3 bucket and ingest the logs from S3 to Google Security Operations. Amazon Route 53 provides DNS query logging and the ability to monitor your resources using health checks. Route 53 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Route 53.
Before you begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to AWS.
Configure AWS Cloudtrail and Route 53
- Sign in to the AWS Console.
- Search for Cloudtrail.
- If you don't already have a trail, click Create trail.
- Provide a Trail name .
- Select Create new S3 bucket (you may also choose to use an existing S3 bucket).
- Provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
- Leave the other settings as default, and click Next.
- Select Event type, make sure Management events is selected (these are the events that will include Route 53 API calls).
- Click Next.
- Review the settings in Review and create.
- Click Create trail.
- In the AWS console, search for S3.
- Click the newly created log bucket and select the AWSLogs folder .
- Click Copy S3 URI and save it.
Configure AWS IAM User
- In the AWS console, search for IAM.
- Click Users.
- Click Add Users.
- Provide a name for the user (for example, chronicle-feed-user).
- Select Access key - Programmatic access as the AWS credential type.
- Click Next: Permissions.
- Select Attach existing policies directly.
- Select AmazonS3ReadOnlyAccess or AmazonS3FullAccess.
- Click Next: Tags.
- Optional: add any tags if required.
- Click Next: Review.
- Review the configuration and click Create user.
- Copy the Access key ID and Secret access key of the created user.
Configure a feed in Google SecOps to ingest the AWS Route 53 logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, AWS Route 53 Logs).
- Select Amazon S3 as the Source type.
- Select AWS Route 53 as the Log type.
- Click Next.
Specify values for the following input parameters:
- Region: the region where the Amazon S3 bucket is located.
- S3 URI: the bucket URI.
s3:/BUCKET_NAME- Replace
BUCKET_NAMEwith the actual name of the bucket.
- Replace
- URI is a: select Directory which includes subdirectories.
- Source deletion options: select the deletion option according to your preference.
- Access Key ID: the User access key with access to the S3 bucket.
- Secret Access Key: the User secret key with access to the S3 bucket.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM Mapping Table
| Log field | UDM mapping | Logic |
|---|---|---|
| account_id | read_only_udm.principal.resource.product_object_id | The AWS account ID associated with the query. |
| firewall_domain_list_id | read_only_udm.security_result.rule_labels.value | The ID of the domain list that the domain being queried is a part of. |
| firewall_rule_action | read_only_udm.security_result.action | The action performed by the firewall rule that matched the query. Possible values are "ALLOW", "BLOCK", or "UNKNOWN_ACTION" if the action is not recognized. |
| firewall_rule_group_id | read_only_udm.security_result.rule_id | The ID of the firewall rule group that matched the query. |
| logEvents{}.id | read_only_udm.principal.resource.product_object_id | The unique ID of the log event. Used as a fallback if 'account_id' is not present. |
| logEvents{}.message | This field is parsed into other UDM fields based on its format. | |
| logEvents{}.timestamp | read_only_udm.metadata.event_timestamp.seconds | The time when the DNS query was logged. |
| messageType | This field is used to determine the structure of the log message. | |
| owner | read_only_udm.principal.user.userid | The AWS account ID of the owner of the log. |
| query_class | read_only_udm.network.dns.questions.class | The class of the DNS query. |
| query_name | read_only_udm.network.dns.questions.name | The domain name that was queried. |
| query_timestamp | read_only_udm.metadata.event_timestamp.seconds | The time when the DNS query was made. |
| query_type | read_only_udm.metadata.product_event_type | The type of DNS query. |
| rcode | read_only_udm.metadata.description | The response code of the DNS query. |
| region | read_only_udm.principal.location.name | The AWS region where the query originated. |
| srcaddr | read_only_udm.principal.ip | The IP address of the client that made the DNS query. |
| srcids.instance | read_only_udm.principal.hostname | The instance ID of the client that made the DNS query. |
| srcids.resolver_endpoint | read_only_udm.security_result.rule_labels.value | The endpoint ID of the resolver that handled the query. |
| srcids.resolver_network_interface | read_only_udm.security_result.rule_labels.value | The network interface ID of the resolver that handled the query. |
| srcport | read_only_udm.principal.port | The port number of the client that made the DNS query. |
| transport | read_only_udm.network.ip_protocol | The transport protocol used for the DNS query. |
| version | read_only_udm.metadata.product_version | The version of the Route 53 Resolver Query Logs format. |
| N/A | read_only_udm.metadata.event_type | Hardcoded to "NETWORK_DNS". |
| N/A | read_only_udm.metadata.product_name | Hardcoded to "AWS Route 53". |
| N/A | read_only_udm.metadata.vendor_name | Hardcoded to "AMAZON". |
| N/A | read_only_udm.principal.cloud.environment | Hardcoded to "AMAZON_WEB_SERVICES". |
| N/A | read_only_udm.network.application_protocol | Hardcoded to "DNS". |
| N/A | read_only_udm.network.dns.response_code | Mapped from the "rcode" field using a lookup table. |
| N/A | read_only_udm.network.dns.questions.type | Mapped from the "query_type" field using a lookup table. |
| N/A | read_only_udm.metadata.product_deployment_id | Extracted from the 'logevent.message_data' field using grok pattern. |
| N/A | read_only_udm.network.dns.authority.name | Extracted from the 'logevent.message_data' field using grok pattern. |
| N/A | read_only_udm.security_result.rule_labels.key | Set to "firewall_domain_list_id", "resolver_endpoint", or "resolver_network_interface" depending on the available fields. |
| N/A | read_only_udm.security_result.action_details | Set to the value of "firewall_rule_action" if it is not "ALLOW" or "BLOCK". |
Changes
2024-10-22
- Enhancement: Mapped "answers" field to "network.dns.answers".
2024-10-17
- Enhancement: Added on_error to all fields before mapping to UDM.
2023-12-20
- Bug-Fix:
- Added gsub to replace "\" with "#" to convert SYSLOG into JSON.
- Added gsub to replace back "#" with "\".
2023-05-08
- Enhancement:
- Modified Grok pattern for the query DNS logs to support a new log format.
- Handle JSON logs containing multiple events.
2022-08-10
- Removed extra uppercase mutate blocks.
2022-07-22
- Newly created parser.
Need more help? Get answers from Community members and Google SecOps professionals.