Before you begin
Verify that the following have been completed before you view DNS threat logs:
- Enable the Network Security API in your project.
- Verify that you have the
DNS Threat Detector Viewerrole.
Threat logs are written to Cloud Logging and can result in additional storage costs. See Use logging and monitoring: Pricing or Pricing for Google Cloud Observability: Cloud Logging .
View threat logs
You can view logs in the Google Cloud console.
Each log entry includes details to identify the corresponding DNS query and threat.
Console
-
In the Google Cloud console, go to the Logs Explorerpage.
-
Filter the logs for
networksecurity.googleapis.com/DnsThreatDetector.
Threat log record fields
Every threat log has the following fields.
| Name | Type | Description |
|---|---|---|
detectionTime
|
string | Time when the threat is detected in UTC. The timestamp is in ISO 8601 format. |
dnsQuery
|
DnsLog | Cloud DNS Log format. |
partnerId
|
string | Unique partner identifier. |
threatInfo
|
threatInfo | The details of threat detected. |
Threat info field
The following table describes the format of the threatInfo
field.
| Name | Type | Description |
|---|---|---|
threatID
|
string | Unique threat identifier. |
threat
|
string | The name of the threat detected. |
threatDescription
|
string | A detailed description of the threat detected. |
category
|
string | The subtype of the threat detected. |
type
|
string | The type of the threat detected. For example, DNS_Tunnel, DGA (Domain Generation Algorithms), or C2 (Command and Control). |
severity
|
string | The severity, (High, Medium, Low, or Info), associated with the threat detected. For more information, see Infoblox's Severity Level Definition . |
confidence
|
string | Confidence of the threat prediction (high, medium, low). For more information, see Infoblox's Confidence Level Definition . |
threatFeed
|
string | Threat feed that triggered this threat alert. |
indicatorType
|
string | The type of indicator that triggered this threat alert. For example, URL, IP, Hash, or Host. |
threatIndicator
|
string | The threat indicator that triggered this alert. |
DNS Query field
The following table describes the format of the DnsQuery
field.
| Name | Type | Description |
|---|---|---|
projectNumber
|
string | Source project number. |
location
|
string | Google Cloud region, for example us-east1
, from
which the response was served. |
queryName
|
string | DNS query name, RFC 1035 4.1.2 . |
queryType
|
string | DNS query type, RFC 1035 4.1.2 . |
responseCode
|
string | Response code, RFC 1035 4.1.1 . |
rdata
|
string | DNS answer in presentation format, RFC 1035 5.1 , truncated to 260 bytes. |
authAnswer
|
string | Authoritative answer, RFC 1035 . |
sourceIp
|
string | IP originating the query. |
destinationIp
|
string | Target IP address, only applicable for forwarding cases. |
protocol
|
string | TCP
or UDP
. |
queryTime
|
string | Timestamp for when the DNS query was sent. |
vmInstanceId
|
string | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. |
vmProjectNumber
|
string | Google Cloud project ID of the network from which the query was sent, only applicable to queries initiated by Compute Engine VM instances. |
serverlessInstanceId
|
string | Serverless instance ID from which the query was sent, only applicable to queries initiated by Serverless. |
What's next
-
Learn more about how to Use logging and monitoring , including how to enable logging for your VPC networks.
-
Learn more about Advanced threat detection .
-
To find solutions for common issues that you might encounter when using threat monitoring, see Troubleshooting .
-
To learn how to be alerted when a threat is detected, see Alerting overview .
