Docs

Using DNS in Fusion

Suggest Edits

Recursive DNS request and response logs are a valuable data source for network forensics.

Fusion supports DNS log ingestion from Amazon Web Services (AWS) Route 53 and Google Cloud Platform (GCP). Support for Infoblox NIOS, Cisco Umbrella, and Azure Firewall DNS Proxy are on the product roadmap - if you are using one of these and would like to ingest it, reach out to Support.

Combined with network flow metadata, Fusion becomes an even more robust system for network forensics, compromise detection, and network visibility.

By analyzing the DNS requests made in your network, you can use Fusion to:

  • Reconstruct event timelines post-incident.
  • Improve mean time to resolve events through enhanced DNS and Flow data visualization.
  • Highlight patterns of communications with suspicious or malicious domains.
  • Identify DNS patterns indicative of malware or command and control servers.
  • Add DNS-specific fields in NQL for traffic forensic analysis.
  • Use detection models based on DNS traffic.
  • See dashboard visualizations and metrics for DNS activity in the network.

Ingesting DNS Logs to Fusion

See Ingesting DNS Logs to Fusion.

Configure internal domains in Traffic Classification

See Ingesting DNS Logs to Fusion

Using DNS in the Fusion Portal

Terminology: Flow, DNS, and Traffic

You may notice the terms Flow, DNS, and Traffic throughout the portal.

  • Flow only relates to network flow records.
  • DNS only relates to the DNS resolver records.
  • Traffic is the term used for the combination of Flow and DNS.

Using DNS in the Global filter

Click the filter button (the rounded button in the top-left of Portal that says Flow, Traffic, DNS, Events, or Blocks). to change the filter to DNS or Traffic.

Changing the filter to DNS permits Fusion to perform operations related to DNS records.

Changing the filter to Traffic permits Fusion to perform operations related to DNS and Flow records.


Using DNS in Detection Models

The Traffic Type field is present when you create or edit a detection model. Selecting DNS lets you build DNS-based detections.



Using DNS in Events

When a Detection Model with Traffic Type DNS generates an event, the traffic column displays DNS.

Using DNS in Dashboards

A new system dashboard named DNS Overview is now available.

DNS can be used in individual Dashboard Widgets when you are creating or modifying a dashboard by selecting the category DNS or Traffic.

Updated 8 days ago