DNS logs cause massive license and time costs for companies because of two primary reasons;
The average number of instant DNS queries can reach 15 thousand in a typical enterprise network with 10 thousand users. This high number is due to a variety of factors.
For example, approximately 70-100 DNS queries are made when a regular news web page is requested. In addition, even when devices are not in use, the services running in the background continue to generate DNS queries. Mail servers also perform numerous DNS queries during a simple e-mail transmission. In this manner, every device on a network constantly performs a DNS query to provide or receive internet services.
DNS logs contain a large amount of raw data that doesn’t make much sense if not processed. The logs have the Client’s IP address and the requested domain, which is not helpful for security analysis. As client IP addresses are dynamic, retrospective analyses are not always applicable.
Furthermore, the logs contain no information about the domain's content or safety. To analyse these logs, in such a large amount, a correlation on the SIEM is required. Besides that, processing domains are already known to be secure, and every extra correlation process raises the SIEM’s cost and consumes the SOC team's time.
DNS logs contain no information about the domain's content or safety. Also, the vast majority of the log comprises trusted and frequently used domains such as Google, Facebook, and WhatsApp, and this information does not need to be processed by SIEM. Roksit uses Cyber X-Ray an AI-based classification system, to distinguish between secure domains and malicious or suspicious domains and then sends only the required data to SIEM. Besides forwarding traffic to SIEM, based on domains’ category and other customised rules, Roksit is also able to alert SIEM when :
After these filters, the amount of DNS logs sent to SIEM can be reduced by 95-99%.