SIEM Data Export
Overview
The SIEM Data Export feature allows administrators to stream DNS query and event data from ScoutDNS directly into their SIEM or log analytics platform for advanced analysis, threat correlation, and compliance reporting.
ScoutDNS currently supports HTTP Event Collector (HEC)–based integrations, including:
Splunk HEC
Custom / Generic HEC destinations
Huntress SIEM
How It Works
ScoutDNS continuously streams query log data as JSON payloads over HTTPS to the configured HEC endpoint. Each record includes DNS query details such as timestamps, client information, policy actions, and classifications. This enables direct ingestion into platforms like Splunk Enterprise / Cloud or other SIEM systems supporting HEC-compatible APIs.
Prerequisites
Before configuring export:
You must have license type for SIEM Export
You must have Admin or Tenant Admin permissions.
Your destination system must expose a reachable HEC endpoint (HTTPS recommended).
A valid HEC token is required for authentication.
Configuration Options
When creating a new SIEM export stream, administrators can customize how and what data is sent:
Endpoint Settings
Admins define the destination endpoint for the stream:
Splunk HEC – optimized for Splunk event structure.
Custom / Generic HEC – for other compatible SIEM or log management systems.
Huntress
Enter the endpoint URL (e.g., https://splunk.company.com:8088/services/collector)
and HEC token.
You can use the Test button to ensure the connection is successful.
Data Type
Choose the type of data to include in the export. Admins can select one or multiple data types per stream:
All Data – sends all DNS query logs, including allowed and blocked requests.
Threat Blocks – sends only events classified as security threats (e.g., malware, phishing, C2).
Content Blocks – sends only policy-driven content filtering blocks (e.g., adult content, social media, streaming).
Fields
In the Fields tab, we can select data and labels on export.
Default - Default labels as in logs tab
ECS - ECS compatible labels
Custom - Select data and labels. Any label not selected will be dropped on export.
Organization Scope (MSP Only)
If your account is configured for MSP / Multi-Organization management, you can define export scope. This allows MSPs to maintain separate exports for some clients or combine all into a single SIEM destination.
All Organizations – sends data for every managed organization.
Specific Organizations – choose one or more organizations to include in the stream.
Configure Huntress SIEM Export
From your Huntress
In SIEM Source Management select Add Source and choose Generic HEC as source type. (ScoutDNS will be a source selection in the near future)
- Choose the organization to assign data to. It is recommended to choose a single parent org, otherwise you must repeat these steps to create an export for every organization. Organization data is still labeled with all queries.
- Name the source collection and save to generate your token.
From ScoutDNS
Navigate to Settings > Data Export and choose New Data Export
Settings Tab
Name your export and enter a description if desired
Under Configure Destination, Select Huntress as Type. This will populate the Event Collector URL automatically
From your Huntress portal, copy and paste the token generated earlier
You can use the Test button to ensure Token and account connect successfully.
Send Data Tab
It is recommended to send all query types
Fields Tab
ScoutDNS sets to ECS and this mapping cannot be changed
Organizations Tab
Select specific organizations or choose All Organizations.
Press Save in the upper right corner and your data export will activate and start streaming right away. Data is sent in near real-time as queries are logged within ScoutDNS.
Related Articles
Roaming Clients / Device Agents - Setup, Configure, and Manage
ScoutDNS provides device agents for organizations that wish to protect devices with DNS-layer security both on and off the network. The ScoutDNS device agent is an extremely lightweight application, best installed on managed devices where ...2FA/MFA - Two Factor Authentication
Enabling 2FA for your account enhances security for operators accessing your data. ScoutDNS supports token-based 2FA, which can be enforced for all operators with account access. Once enabled, operators must authenticate using a token sent to the ...Applications Categories - Zero Trust App Management
The ScoutDNS Application Policy sub-tab lets you block whole groups of web applications while still allowing specific apps through an allow list. It covers tens of thousands of domains and supports a zero-trust security approach. For example, you can ...Configure AD (Active Directory) Policies
ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...Configure Entra ID based Policies
ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...
Popular Articles
Working with Whitelist and Blacklist
At times, it may be helpful to fully block or allow a domain based on your desired outcome. The White/Black List tab allows you to create and manage custom block and allow lists. You can associate these lists with all policies (global) or assign them ...Quick Start Setup Guide - WAN Forwarding
There are three methods you can use to protect your networks and users with ScoutDNS: 1) WAN Forwarding – This method involves configuring ScoutDNS with your WAN IP address and forwarding DNS queries from inside your network to our anycast resolver ...Content Categories
Below is a list of Content Categories and their descriptions. Adult Abortions These are sites that present arguments either in favor of or against abortion. This includes information on abortion procedures, sites that offer assistance in obtaining ...Mixing DNS Providers
It is generally not recommended to mix DNS providers. Most routers and systems randomly select which DNS server receives each packet, which can lead to issues with filtering and reporting due to mixed rules in the system cache. To avoid these ...Dynamic IP Setup
ScoutDNS supports dynamic DNS IP address integration with most dynamic DNS providers. Popular Dynamic DNS solutions include: No-IP ChangeIP DynDNS FreeDNS Once you have an account with one of these or a similar solution, you can configure ScoutDNS to ...
Recent Articles
SIEM Data Export
Overview The SIEM Data Export feature allows administrators to stream DNS query and event data from ScoutDNS directly into their SIEM or log analytics platform for advanced analysis, threat correlation, and compliance reporting. ScoutDNS currently ...Applications Categories - Zero Trust App Management
The ScoutDNS Application Policy sub-tab lets you block whole groups of web applications while still allowing specific apps through an allow list. It covers tens of thousands of domains and supports a zero-trust security approach. For example, you can ...Configure Entra ID based Policies
ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...Setup and Use Guide for MSPs
ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...Configure AD (Active Directory) Policies
ScoutDNS supports policy enforcement by user groups synced from Active Directory. This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS syncs with ...