>
    View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced DNS Security Powered by Precision AI™
    3. Monitor DNS Security Subscription Services
    4. View DNS Security Logs
    5. View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))
    Download PDF
    Advanced DNS Security Powered by Precision AI™

    View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))

    Table of Contents

    View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))

    1. Log in to the PAN-OS web interface.
    2. Search for activity on the firewall for queries that have been processed using DNS Security.
      1. Select MonitorLogsThreat and filter based on the DNS category.
        Consider the following examples:
        • ( category-of-threatid eq dns-c2 ) to view logs that have been determined to be a C2 domain by DNS Security.
        • ( category-of-threatid eq adns-hijacking ), whereby the variable adns-hijacking indicates DNS queries that have been categorized as a malicious DNS hijacking attempt by Advanced DNS Security.
        To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc).
      2. Select a log entry to view the details of a detected DNS threat.
      3. The threat Category is displayed in the Details pane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
      4. For stockpiled domains and DNS tunneling domains, including tunneling-based APTs (advanced persistent threats), you can view the various tools used in the attack, as well as the attack campaigns associated with the domain. This is reflected in the Threat ID/Name field for the log entry for a given domain. The Threat ID/Name for DNS domains with attributions use the following format; in this example, for DNS tunnel domains: Tunneling:<tool_name>,<tool_name>,<tool_name>,...:<domain_name>, whereby the tool_name refers to the DNS tunneling tools used to embed data into the DNS queries and responses, but also the cyber threat campaign name, in a comma-separated list. These campaigns can be industry accepted incidents and use the same naming conventions or might be one identified and named by Palo Alto Networks and described in the Unit 42 Threat Research blogs. A blog of such a campaign, in this case, one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling for Tracking and Scanning. Alternatively, you can also view the attribution information from the Palo Alto Networks ThreatVault and the URL Filtering Test A Site.
        The associated tool and campaign attributions might take some time after the initial detection has completed to become viewable in the logs as well as the Palo Alto Networks ThreatVault and Test-A-Site. When the attribution component finishes and has been verified, the complete DNS tunneling tools and campaign details display as expected in the Threat ID/Name and campaign fields.
        Consider the following examples:
        • DNS Tunneling Domain APT Attribution
          1. PAN-OS
          2. ThreatVault
          3. URL Filtering Test-A-Site
        • Stockpiled Domain APT Attribution
          1. PAN-OS
          2. ThreatVault
          3. URL Filtering Test-A-Site

    © 2024 Palo Alto Networks, Inc. All rights reserved.