In this article
DNSFilter account users with admin permissions or higher use this article to configure CyberSight Data Export.
CyberSight Data Export sends endpoint user activity and analytics data to a supported SIEM (Security Information and Event Management) platform on a recurring schedule. CyberSight Data Export uses the same Data Export workflow used for DNS query data today. For DNS query export setup, see Data Export configuration.
CyberSight Data Export uses the same HEC-based integration as DNS query export, so it works with most SIEMs, including:
- Microsoft Sentinel
- Crowdstrike
- LogRhythm
- Splunk
- Sumo Logic
- Huntress
CyberSight Data Export can also connect to S3-compatible services such as Wasabi and Backblaze.
What data CyberSight Data Export includes
CyberSight Data Export sends endpoint user activity and analytics data, such as application use, web activity, streaming activity, and user session events. This data differs from DNS query export data, which contains DNS lookups processed through the Roaming Client or network deployments.
An Organization can export DNS query data, CyberSight data, or both. When both are enabled, the SIEM receives two separate payloads per export interval — one for DNS query data and one for CyberSight data.
Prerequisites
The following requirements apply before configuring CyberSight Data Export:
- A DNSFilter Pro plan or higher is required for the Organization
- A CyberSight license is required for the Organization
- The supported destinations at launch are Splunk, Amazon S3, and generic HEC (HTTP Event Collector)
Microsoft Sentinel limitation
Microsoft Sentinel requires a defined schema for each import, so only one data type can import to Sentinel at a time. An Organization exporting to Microsoft Sentinel must choose either DNS query data or CyberSight data for that connection — both cannot run to Sentinel simultaneously.
Configure CyberSight Data Export
Complete the following steps to enable CyberSight Data Export on a new or existing Data Export connection.
- From the DNSFilter dashboard, navigate to Tools and select Data Export
- Select an existing connection, or select Configure Data Export to create a new one
- Select Include CyberSight events
- Re-enter the credentials for the connection when prompted:
- For Splunk or HEC connections, enter the Active Event Collector Token
- For Amazon S3 connections, enter the Access Key and Secret
- Select Save
CyberSight events now export to the configured destination. If the Include CyberSight events option is unavailable, confirm the Organization has an active CyberSight license and that the connection's destination is one of the supported platforms listed above.
To turn off CyberSight Data Export without affecting DNS query export, clear Include CyberSight events and select Save.
CyberSight events now export to the configured destination alongside DNS query data, if enabled. If the Include CyberSight events option is unavailable, confirm the Organization has an active CyberSight license and that the connection's destination is one of the supported platforms listed above.
To turn off CyberSight Data Export without affecting DNS query export, clear Include CyberSight events and select Save.
Comments
0 comments
Please sign in to leave a comment.