With additional configuration in AWS, you can also use this integration to monitor DNS queries. Malicious actors can use DNS for data theft, C2, DNS tunneling, cache poisoning, DNS hijacking, and more. Logging the queries made and responses received by devices in your network can be valuable in proactive alerting and investigations.
The instructions below explain how to log queries from your AWS services within VPCs to an S3 bucket. The query logging configuration happens within Route 53 and applies to the VPCs within your specified region. A configuration is required per region, but can be applied to multiple VPCs of that region.
Step 1: Configure query logging in Route 53
Log in to your AWS account.
Navigate to the Route 53 service within the region you plan to log.
On the lefthand side, under Resolver, click Query Logging.
You should be redirected to a “Query logging configurations” page. If not, try clicking “Query Logging” link again.
In the upper right corner, click Configure Query Logging.
On the next page, fill in the Query Logging configuration form:
Name: Enter a descriptive name.
Destination for query logs: Select S3 bucket.
Amazon S3 Bucket: Select the S3 bucket where you want to configure query logging.
At the bottom of the page, click Configure query logging.
Within a few minutes, you should start receiving logs within your S3 bucket at s3://BucketName/BucketPrefix/AWSLogs/ACCOUNTID/vpcdnsquerylogs/VPCName/Year/Month/Day
Step 2: Onboard log source
Follow the steps in the documentation above to onboard AWS VPC logs to Panther. For the log type, select the AWS.VPCDns schema.
After onboarding the source with the AWS.VPCDns log type, VPCDNS logs will be ingested into Panther.
schema:AWS.VPCDnsparser:native:name:AWS.VPCDnsdescription:DNS query logs represent the queries that VPC DNS resolvers forward to Route 53.referenceURL:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-format.htmlfields: - name:versionrequired:true description: The version number of the query log format. If we add fields to the log or change the format of existing fields, we'll increment this value.
type:string - name:account_idrequired:truedescription:The ID of the AWS account that created the VPC.type:stringindicators: - aws_account_id - name:regionrequired:truedescription:The AWS Region that you created the VPC in.type:string - name:vpc_idrequired:truedescription:The ID of the VPC that the query originated in.type:string - name:query_timestamprequired:true description: The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC)
type:timestamptimeFormat:rfc3339isEventTime:true - name:query_namerequired:truedescription:The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.type:string - name:query_typerequired:true description: Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports.
type:string - name:query_classrequired:truedescription:The class of the query.type:string - name:rcoderequired:true description: The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website.
type:string - name:answersrequired:truedescription:Answers to the querytype:arrayelement:type:objectfields: - name:Rdatarequired:true description: The value that Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.
type:string - name:Typerequired:true description: The DNS record type (such as A, MX, or CNAME) of the value that Resolver is returning in response to the query.
type:string - name:Classrequired:truedescription:The class of the Resolver response to the query.type:string - name:srcaddrrequired:truedescription:The IP address of the instance that the query originated from.type:stringindicators: - ip - name:srcportrequired:truedescription:The port on the instance that the query originated from.type:string - name:transportrequired:truedescription:The protocol used to submit the DNS query.type:string - name:srcidsrequired:truedescription:The list of IDs of the sources the DNS query originated from or passed through.type:objectfields: - name:instancedescription:The ID of the instance that the query originated from.type:stringindicators: - aws_instance_id - name:resolver-endpointdescription:The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.type:string - name:firewall_rule_group_id description: The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type:string - name:firewall_rule_action description: The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type:string - name:firewall_domain_list_id description: The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type:string
AWS.VPCFlow
VPC Flow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.
Note that for Panther to properly ingest VPC NetFlow logs, they must come directly from S3, in CSV format with a header.
schema:AWS.VPCFlowparser:native:name:AWS.VPCFlowdescription:VPCFlow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.referenceURL:https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.htmlfields: - name:version description: The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
type:bigint - name:accountdescription:The AWS account ID for the flow log.type:stringindicators: - aws_account_id - name:interfaceIddescription:The ID of the network interface for which the traffic is recorded.type:string - name:srcAddr description: The source address for incoming traffic, or the IPv4 or IPv6 address of the network interface for outgoing traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
type:stringindicators: - ip - name:dstAddr description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the network interface for incoming traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
type:stringindicators: - ip - name:srcPortdescription:The source port of the traffic.type:bigint - name:dstPortdescription:The destination port of the traffic.type:bigint - name:protocoldescription:The IANA protocol number of the traffic.type:bigint - name:packetsdescription:The number of packets transferred during the flow.type:bigint - name:bytesdescription:The number of bytes transferred during the flow.type:bigint - name:startrequired:truedescription:The time of the start of the flow (UTC).type:timestamptimeFormat:rfc3339 - name:endrequired:truedescription:The time of the end of the flow (UTC).type:timestamptimeFormat:rfc3339 - name:action description: 'The action that is associated with the traffic. ACCEPT: The recorded traffic was permitted by the security groups or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs.'
type:string - name:statusrequired:true description: 'The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.'
type:string - name:vpcIddescription:The ID of the VPC that contains the network interface for which the traffic is recorded.type:string - name:subNetIddescription:The ID of the subnet that contains the network interface for which the traffic is recorded.type:string - name:instanceId description: The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. Returns a '-' symbol for a requester-managed network interface; for example, the network interface for a NAT gateway.
type:stringindicators: - aws_instance_id - name:tcpFlags description: "The bitmask value for the following TCP flags: SYN: 2, SYN-ACK: 18, FIN: 1, RST: 4. ACK is reported only when it's accompanied with SYN. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN."
type:bigint - name:trafficTypedescription:'The type of traffic: IPv4, IPv6, or EFA.'type:string - name:pktSrcAddr description: The packet-level (original) source IP address of the traffic. Use this field with the srcaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
type:stringindicators: - ip - name:pktDstAddr description: The packet-level (original) destination IP address for the traffic. Use this field with the dstaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the final destination IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
type:stringindicators: - ip - name:pktSrcAwsService description: 'The name of the subset of IP address ranges for the pkt-srcaddr field, if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS.'
type:string - name:pktDstAwsService description: The name of the subset of IP address ranges for the pkt-dstaddr field, if the destination IP address is for an AWS service. For a list of possible values, see the pkt-src-aws-service field.
type:string - name:flowDirection description: 'The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress.'
type:string - name:trafficPath description: The path that egress traffic takes to the destination. To determine whether the traffic is egress traffic, check the flow-direction field. The possible values are as follows. If none of the values apply, the field is set to -. If the network interface is attached to an instance based on the Nitro System, the possible values include 7 and 8 but not 2. With instances not based on the Nitro System (for example, T2 and M4), the possible values include 2 but not 7 or 8. 1 — Through another resource in the same VPC, 2 — Through an internet gateway or a gateway VPC endpoint, 3 — Through a virtual private gateway, 4 — Through an intra-region VPC peering connection, 5 — Through an inter-region VPC peering connection, 6 — Through a local gateway, 7 — Through a gateway VPC endpoint, 8 — Through an internet gateway
type:smallint - name:regiondescription:The Region that contains the network interface for which traffic is recorded.type:string - name:azId description: The ID of the Availability Zone that contains the network interface for which traffic is recorded. If the traffic is from a sublocation, the record displays a '-' symbol for this field.
type:string - name:sublocationType description: "The type of sublocation that's returned in the sublocation-id field. The possible values are: wavelength | outpost | localzone. If the traffic is not from a sublocation, the record displays a '-' symbol for this field."
type:string - name:sublocationId description: The ID of the sublocation that contains the network interface for which traffic is recorded. If the traffic is not from a sublocation, the record displays a '-' symbol for this field.
type:string
