Ask HN: SIEM-like product with DNS as its data API?
A SIEM seems to consist of a database / datasink for event data and an interface for reporting / alerting / alarming on that data. The DNS is a distributed database, which is another way of saying that it is a mechanism for querying distributed databases.
Maybe another way I could put this is, is there a reporting / "pane of glass" tool which can be put in front of DNS-as-a-database? Maybe a TIP?
Any birds of a feather, mailing lists...?
My experience is most SIEM products report from what is ultimately a relatively centralized datasink: the data is collected centrally before it is needed for reporting.
I've got an architecture which (mostly) utilizes the DNS to collect the data when it is needed. It is functional (and useful IMNSHO) right now with dns and netflow data:
# hosts 10.1.0.0/24
10.1.0.11
10.1.0.12
10.1.0.10
# peers 10.1.0.10
www.cnn.com.
infoblox.com.
# peers 10.1.0.11
www.microsoft.com.
www.cnn.com.
# peers 10.1.0.12
www.microsoft.com.
infoblox.com.
# pcompare any same 10.1.0.10 10.1.0.0/24
infoblox.com.
www.cnn.com.
# pcompare all same 10.1.0.10 10.1.0.0/24
# pcompare any diff 10.1.0.10 10.1.0.0/24
# pcompare all diff 10.1.0.10 10.1.0.0/24
infoblox.com.
www.cnn.com.
I don't know about a particular product but I have seen people pull in data feeds into both Splunk and into Elk/Logstash instances in conjunction with DNS query logging. So the SIEM's were just Splunk and Elk/Logstash. Splunk is very expensive. The DNS data-feeds were commercial and I can't recall which companies provided them but the folks at Splunk could likely tell you. Just beware of sales people.
If you wanted some publicly sourced data try out the firehol [1] datasets. They could probably be used in conjunction with Suricata or Snort distributed to each DNS resolver.
I'm not 100% certain if I'm understanding the requirement correctly - but would something like this help?