View threat logs

Before you begin

Verify that the following have been completed before you view DNS threat logs:

• Enable the Network Security API in your project.
• Verify that you have the DNS Threat Detector Viewer role.

Threat logs are written to Cloud Logging and can result in additional storage costs. See Use logging and monitoring: Pricing or Pricing for Google Cloud Observability: Cloud Logging .

Permissions required for this task

To perform this task, you must have been granted the following permissions or the following IAM roles.

Permissions

• resourcemanager.projects.get
• resourcemanager.projects.list
• networksecurity.dnsThreatDetectors.get
• networksecurity.dnsThreatDetectors.list

Roles

• roles/networksecurity.dnsThreatDetectorViewer
• roles/logging.viewer

View threat logs

You can view logs in the Google Cloud console.

Each log entry includes details to identify the corresponding DNS query and threat.

Threat log record fields

Every threat log has the following fields.

Name	Type	Description
detectionTime	string	Time when the threat is detected in UTC. The timestamp is in ISO 8601 format.
dnsQuery	DnsLog	Cloud DNS Log format.
partnerId	string	Unique partner identifier.
threatInfo	threatInfo	The details of threat detected.

Threat info field

The following table describes the format of the threatInfo field.

Name	Type	Description
threatID	string	Unique threat identifier.
threat	string	The name of the threat detected.
threatDescription	string	A detailed description of the threat detected.
category	string	The subtype of the threat detected.
type	string	The type of the threat detected. For example, DNS_Tunnel, DGA (Domain Generation Algorithms), or C2 (Command and Control).
severity	string	The severity, (High, Medium, Low, or Info), associated with the threat detected. For more information, see Infoblox's Severity Level Definition
confidence	string	Confidence of the threat prediction (high, medium, low). For more information, see Infoblox's Confidence Level Definition
threatFeed	string	Threat feed that triggered this threat alert.
indicatorType	string	The type of indicator that triggered this threat alert. For example, URL, IP, Hash, or Host.
threatIndicator	string	The threat indicator that triggered this alert.

DNS Query field

The following table describes the format of the DnsQuery field.

Name	Type	Description
projectNumber	string	Source project number.
location	string	Google Cloud region, for example us-east1 , from which the response was served.
queryName	string	DNS query name, RFC 1035 4.1.2 .
queryType	string	DNS query type, RFC 1035 4.1.2 .
responseCode	string	Response code, RFC 1035 4.1.1 .
rdata	string	DNS answer in presentation format, RFC 1035 5.1 , truncated to 260 bytes.
authAnswer	string	Authoritative answer, RFC 1035 .
sourceIp	string	IP originating the query.
destinationIp	string	Target IP address, only applicable for forwarding cases.
protocol	string	TCP or UDP .
queryTime	string	Timestamp for when the DNS query was sent.
vmInstanceId	string	Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs.
vmProjectNumber	string	Google Cloud project ID of the network from which the query was sent, only applicable to queries initiated by Compute Engine VM instances.
serverlessInstanceId	string	Serverless instance ID from which the query was sent, only applicable to queries initiated by Serverless.

What's next

• Learn more about how to Use logging and monitoring , including how to enable logging for your VPC networks.

• Learn more about Advanced threat detection .

• To find solutions for common issues that you might encounter when using threat monitoring, see Troubleshooting .

• To learn how to be alerted when a threat is detected, see Alerting overview .