DNS Security

DNS Security logs contain information that the DNS Security service collects, such as server response and request information based on your firewall security policy rules, associated action, and the DNS query details when performing domain lookups.
See the following for information related to supported log formats:
DNS SECURITY Field
(Display Name)
Description
action.​value
(ACTION)
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
EMAIL field name: CortexDataLakeTenantId
HTTPS field name: CortexDataLakeTenantId
LEEF field name: CortexDataLakeTenantId
dest_ip.​value
(DNS RESOLVER IP)
The IP address of the DNS resolver.
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSResolverIP
EMAIL field name: DNSResolverIP
HTTPS field name: DNSResolverIP
LEEF field name: DNSResolverIP
dns_response
(DNS RESPONSE)
The IP address that the domain in the DNS query got resolved to.
CEF field name: PanOSDNSResponse
EMAIL field name: DNSResponse
HTTPS field name: DNSResponse
LEEF field name: DNSResponse
dns_response_code
(DNS RESPONSE CODE)
The IP address that the domain in the DNS query got resolved to.
CEF field name: PanOSDNSResponseCode
EMAIL field name: DNSResponseCode
HTTPS field name: DNSResponseCode
LEEF field name: DNSResponseCode
dst_user
(DESTINATION USER)
The username of the user to which the session was destined.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser
dst_zone
(TO ZONE)
The networking zone the session was destined to.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone
fqdn
(FQDN)
The FQDN of the requested domain.
CEF field name: request
EMAIL field name: FQDN
HTTPS field name: FQDN
LEEF field name: url
from_zone
(FROM ZONE)
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone
gtid
(THREAT ID)
The Global Threat ID of the requested domain. If there is a threat signature associated with the DNS request, this is a Palo Alto Networks threat ID.
Syslog field name: Syslog Field Order
CEF field name: PanOSThreatID
EMAIL field name: ThreatID
HTTPS field name: ThreatID
LEEF field name: ThreatID
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: DeviceEventClassID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
protocol
(DNS SECURITY VERSION)
A number indicating the PAN-OS version of the firewall that generated the log:
  • 1 - PAN-OS 9.0/9.1
  • 2 - PAN-OS 10.0+
CEF field name: PanOSDNSSecuityVersion
EMAIL field name: DNSSecurityVersion
HTTPS field name: DNSSecurityVersion
LEEF field name: DNSSecurityVersion
record_type
(RECORD TYPE)
The DNS record type:
  • A (IPv4)
  • AAAA (IPv6)
Syslog field name: Syslog Field Order
CEF field name: PanOSRecordType
EMAIL field name: RecordType
HTTPS field name: RecordType
LEEF field name: RecordType
source_ip.​value
(SOURCE ADDRESS)
The IP address of the system that made the DNS request.
Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src
source_user
(SOURCE USER)
The username that initiated the network traffic.
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: UsrName
sub_type.​value
(SUB TYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: SubType
HTTPS field name: SubType
LEEF field name: SubType
threat_name
(THREAT NAME)
The name of the threat against which the verdict was made.
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: ThreatName
HTTPS field name: ThreatName
LEEF field name: ThreatName
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
total_time_elapsed
(SESSION DURATION)
The total duration of the network session.
CEF field name: cn3
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
Syslog field name: Syslog Field Order
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
verdict.​value
(DNS CATEGORY)
The DNS category verdict for the requested domain, represented by an integer. The integer represents different categories depending on the value of the
protocol
field.
If
protocol
is 1:
  • 0 - benign/unknown
  • 1 - malware
  • 2 - command and control
  • 3-8 - benign
  • 9 - allowlist
If
protocol
is 2:
  • 0 - benign/unknown
  • 1 - malware
  • 2 - command and control
  • 3 - phishing
  • 4 - dynamicDNS
  • 5 - newly registered domain
  • 6 - grayware
  • 7 - parked
  • 8 - proxy
  • 9 - allowlist
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSCategory
EMAIL field name: DNSCategory
HTTPS field name: DNSCategory
LEEF field name: EventID

Recommended For You