Before you begin
Verify that the following have been completed before you view DNS threat logs:
- Enable the Network Security API in your project.
- Verify that you have the
DNS Threat Detector Viewerrole.
Threat logs are written to Cloud Logging and can result in additional storage costs. See Use logging and monitoring: Pricing or Pricing for Google Cloud Observability: Cloud Logging.
View threat logs
You can view logs in the Google Cloud console.
Each log entry includes details to identify the corresponding DNS query and threat.
Console
In the Google Cloud console, go to the Logs Explorer page.
Filter the logs for
networksecurity.googleapis.com/DnsThreatDetector.
Threat log record fields
Every threat log has the following fields.
| Name | Type | Description |
|---|---|---|
detectionTime |
string | Time when the threat is detected in UTC. The timestamp is in ISO 8601 format. |
dnsQuery |
DnsLog | Cloud DNS Log format. |
partnerId |
string | Unique partner identifier. |
threatInfo |
threatInfo | The details of threat detected. |
Threat info field
The following table describes the format of the threatInfo field.
| Name | Type | Description |
|---|---|---|
threatID |
string | Unique threat identifier. |
threat |
string | The name of the threat detected. |
threatDescription |
string | A detailed description of the threat detected. |
category |
string | The subtype of the threat detected. |
type |
string | The type of the threat detected. For example, DNS_Tunnel, DGA (Domain Generation Algorithms), or C2 (Command and Control). |
severity |
string | The severity, (High, Medium, Low, or Info), associated with the threat detected. |
confidence |
string | Confidence of the threat prediction (high, medium, low). |
threatFeed |
string | Threat feed that triggered this threat alert. |
indicatorType |
string | The type of indicator that triggered this threat alert. For example, URL, IP, Hash, or Host. |
threatIndicator |
string | The threat indicator that triggered this alert. |
DNS Query field
The following table describes the format of the DnsQuery field.
| Name | Type | Description |
|---|---|---|
projectNumber |
string | Source project number. |
location |
string | Google Cloud region, for example us-east1, from
which the response was served. |
queryName |
string | DNS query name, RFC 1035 4.1.2. |
queryType |
string | DNS query type, RFC 1035 4.1.2. |
responseCode |
string | Response code, RFC 1035 4.1.1. |
rdata |
string | DNS answer in presentation format, RFC 1035 5.1, truncated to 260 bytes. |
authAnswer |
string | Authoritative answer, RFC 1035. |
sourceIp |
string | IP originating the query. |
destinationIp |
string | Target IP address, only applicable for forwarding cases. |
protocol |
string | TCP or UDP. |
queryTime |
string | Timestamp for when the DNS query was sent. |
vmInstanceId |
string | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. |
vmProjectNumber |
string | Google Cloud project ID of the network from which the query was sent, only applicable to queries initiated by Compute Engine VM instances. |
serverlessInstanceId |
string | Serverless instance ID from which the query was sent, only applicable to queries initiated by Serverless. |
What's next
Learn more about how to Use logging and monitoring, including how to enable logging for your VPC networks.
Learn more about Advanced threat detection.
To find solutions for common issues that you might encounter when using threat monitoring, see Troubleshooting.
To learn how to be alerted when a threat is detected, see Alerting overview.