Collect Passive DNS logs
This document explains how to ingest Passive DNS logs to Google Security Operations using Google Cloud Storage V2.
Passive DNS is a DNS intelligence data source that captures historical DNS resolution records for threat analysis and domain investigation. Because the data is typically collected and stored as files, you must upload those files to a Google Cloud Storage (GCS) bucket, and then configure a Google SecOps feed to ingest them.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- A Google Cloud project with Cloud Storage API enabled.
- Permissions to create and manage GCS buckets.
- Permissions to manage IAM policies on GCS buckets.
- Access to Passive DNS data files (for example, DNSDB, Farsight, or another Passive DNS provider).
- Passive DNS data exported in a supported format (for example, JSON or CSV).
Create a Google Cloud Storage bucket
- Go to the Google Cloud Console.
- Select your project or create a new one.
- In the navigation menu, go to Cloud Storage > Buckets.
- Click Create bucket.
Provide the following configuration details:
Setting Value Name your bucket Enter a globally unique name (for example, passive-dns-logs)Location type Choose based on your needs (Region, Dual-region, Multi-region) Location Select the location closest to your Google SecOps instance (for example, us-central1)Storage class Standard (recommended for frequently accessed logs) Access control Uniform (recommended) Protection tools Optional: Enable object versioning or retention policy Click Create.
Configure automated export of Passive DNS data to GCS
Passive DNS data is typically available as exported files from a DNS intelligence provider (for example, Farsight DNSDB, DomainTools, or Cisco Umbrella Investigate). To keep the data in GCS current, configure an automated export pipeline using one of the following approaches.
Option 1: Cloud Scheduler with Cloud Build (recommended)
Use Cloud Build triggered by Cloud Scheduler to run a containerized job that fetches Passive DNS data from your provider and writes it to GCS.
Create a service account for the export job:
- In the GCP Console, go to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Provide the following configuration details:
- Service account name: Enter
passive-dns-export-sa - Service account description: Enter
Service account for automated Passive DNS data export to GCS
- Service account name: Enter
- Click Create and Continue.
- Add the following roles:
- Storage Object Admin (to write files to GCS)
- Cloud Build Editor (to run Cloud Build jobs)
- Click Done.
Create a Cloud Build configuration file (
cloudbuild.yaml):steps: - name: 'gcr.io/cloud-builders/gcloud' entrypoint: 'bash' args: - '-c' - | apt-get update && apt-get install -y curl jq # Fetch Passive DNS data from your provider # Replace with the actual API call for your provider # Example for Farsight DNSDB: TIMESTAMP=$(date -u +%Y%m%d_%H%M%S) curl -s -H "X-API-Key: $${PDNS_API_KEY}" \ "https://api.dnsdb.info/dnsdb/v2/lookup/rrset/name/*.example.com" \ -o /workspace/passive_dns_$${TIMESTAMP}.json # Upload to GCS gcloud storage cp /workspace/passive_dns_$${TIMESTAMP}.json \ gs://${_BUCKET_NAME}/passive-dns/ substitutions: _BUCKET_NAME: 'passive-dns-logs'Store the API key as a Secret Manager secret:
- In the GCP Console, go to Security > Secret Manager.
- Click Create Secret.
- Enter
pdns-api-keyas the secret name. - Enter your Passive DNS provider API key as the secret value.
- Click Create.
Create a Cloud Scheduler job to trigger the build:
- In the GCP Console, go to Cloud Scheduler.
- Click Create Job.
Provide the following configuration details:
Setting Value Name passive-dns-export-dailyRegion Select the same region as your GCS bucket Frequency 0 3 * * *(daily at 3:00 AM UTC)Timezone UTC (recommended) Target type HTTP URL https://cloudbuild.googleapis.com/v1/projects/YOUR_PROJECT_ID/buildsHTTP method POST Auth header Add OAuth token Service account passive-dns-export-sa@YOUR_PROJECT_ID.iam.gserviceaccount.comClick Create.
Option 2: Storage Transfer Service (for on-premise data stores)
If Passive DNS data is stored on an on-premise file system, use Storage Transfer Service with a Transfer Agent.
- In the GCP Console, go to Storage Transfer Service.
- Click Create transfer job.
- Select POSIX filesystem as the source.
- Follow the instructions to install the Storage Transfer Agent on a machine with access to the Passive DNS data files.
Configure the transfer job:
Setting Value Source directory Path to the directory containing Passive DNS data files Destination bucket passive-dns-logsDestination path passive-dns/Schedule Set a recurring schedule (for example, daily) Click Create.
Retrieve the Google SecOps service account
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Passive DNS Logs). - Select Google Cloud Storage V2 as the Source type.
- Select Passive DNS as the Log type.
- Click Get Service Account.
A unique service account email will be displayed, for example:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comCopy this email address for use in the next step.
Grant IAM permissions to the Google SecOps service account
The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.
- Go to Cloud Storage > Buckets.
- Click on your bucket name (for example,
passive-dns-logs). - Go to the Permissions tab.
- Click Grant access.
- Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email (for example,
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com). - Assign roles: Select Storage Object Viewer.
- Add principals: Paste the Google SecOps service account email (for example,
Click Save.
Configure the Google SecOps feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Passive DNS Logs). - Select Google Cloud Storage V2 as the Source type.
- Select Passive DNS as the Log type.
- Click Next.
Specify values for the following input parameters:
Storage bucket URL: Enter the GCS bucket URI:
gs://passive-dns-logs/passive-dns/- Replace
passive-dns-logswith your GCS bucket name. - Replace
passive-dnswith your configured prefix path.
- Replace
Source deletion option: Select the deletion option according to your preference:
- Never: Never deletes any files after transfers (recommended for testing).
- Delete transferred files: Deletes files after successful transfer.
Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
Maximum File Age: Include files modified in the last number of days (default is 180 days).
Asset namespace: The asset namespace.
Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| hostname | intermediary.hostname | Value copied directly |
| timestamp_s | metadata.event_timestamp | Parsed as UNIX timestamp |
| metadata.event_type | Set to "NETWORK_DNS" | |
| network.application_protocol | Set to "DNS" | |
| answer | network.dns.answers.data | Value from answer after removing trailing dot |
| ttl | network.dns.answers.ttl | Converted to integer |
| class | network.dns.questions.class | Mapped to numeric value (1 for IN, 3 for CH, 4 for HS) |
| query | network.dns.questions.name | Value from query after removing trailing dot |
| type | network.dns.questions.type | Mapped from type (uppercased) to numeric value using DNS type mapping |
| client | principal.ip | Value copied directly |
| server | target.ip | Value copied directly |
| metadata.product_name | Set to "Passive DNS" |
Need more help? Get answers from Community members and Google SecOps professionals.