CISA

Protective DNS Log Push Training Video

The video walks users through configuring Protective DNS log push, emphasizing a one‑time account upgrade for organizations onboarded before April 2023. It outlines the feature’s capacity to create up to four direct pushes to either an AWS S3 bucket or a Splunk instance, delivering raw resolver logs in under a minute with files containing up to 100,000 records. Key insights include the absence of source‑set or policy metadata in the raw logs, requiring administrators to use the provided crosswalk tables to map IDs after ingestion. The process is automated, contrasting with scheduled extracts, and supports rapid, continuous log streaming. The tutorial details the UI navigation—selecting the Resolver Logs tab, reviewing the log‑push table, and using the Connect a Service button. For S3, users must supply job name, AWS access key, secret, bucket path, region, endpoint URL, and complete an ownership‑token verification. For Splunk, required fields include collector URL, channel ID, URL‑encoded auth token, source type, and a verification token, with similar enable‑and‑save steps. By enabling near‑real‑time DNS log delivery, security teams can integrate data directly into SIEMs or data lakes, accelerating threat detection and response. However, the need for internal IT coordination and post‑push metadata mapping adds operational overhead that organizations must plan for.