DNS Security
Table of Contents
DNS Security
DNS Security logs contain information that the DNS Security service collects, such as server
response and request information based on your firewall security policy rules,
associated action, and the DNS query details when performing domain lookups.
See the following for information related to supported log formats:
DNS SECURITY Field
(Display Name)
|
Description
|
|---|---|
action.value
(ACTION)
|
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order CEF field name: act EMAIL field name: Action HTTPS field name: Action LEEF field name: Action |
customer_id
(CORTEX DATA LAKE TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantId HTTPS field name: CortexDataLakeTenantId LEEF field name: CortexDataLakeTenantId |
dest_ip.value
(DNS RESOLVER IP)
| The IP address of the DNS resolver. Syslog field name: Syslog Field Order CEF field name: PanOSDNSResolverIP EMAIL field name: DNSResolverIP HTTPS field name: DNSResolverIP LEEF field name: DNSResolverIP |
dns_response
(DNS RESPONSE)
| The IP address that the domain in the DNS query got resolved to. Syslog field name: Syslog Field Order CEF field name: PanOSDNSResponse EMAIL field name: DNSResponse HTTPS field name: DNSResponse LEEF field name: DNSResponse |
dns_response_code
(DNS RESPONSE CODE)
| The IP address that the domain in the DNS query got resolved to. CEF field name: PanOSDNSResponseCode EMAIL field name: DNSResponseCode HTTPS field name: DNSResponseCode LEEF field name: DNSResponseCode |
dst_user
(DESTINATION USER)
| The username of the user to which the session was destined. Syslog field name: Syslog Field Order CEF field name: duser EMAIL field name: DestinationUser HTTPS field name: DestinationUser LEEF field name: DestinationUser |
dst_zone
(TO ZONE)
| The networking zone the session was destined to. Syslog field name: Syslog Field Order CEF field name: cs5 EMAIL field name: ToZone HTTPS field name: ToZone LEEF field name: ToZone |
from_zone
(FROM ZONE)
|
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order CEF field name: cs4 EMAIL field name: FromZone HTTPS field name: FromZone LEEF field name: FromZone |
gtid
(THREAT ID)
| The Global Threat ID of the requested domain. If there is a threat signature associated
with the DNS request, this is a Palo Alto Networks threat ID. Syslog field name: Syslog Field Order CEF field name: PanOSThreatID EMAIL field name: ThreatID HTTPS field name: ThreatID LEEF field name: ThreatID |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalID EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: DeviceEventClassID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
protocol
(DNS SECURITY VERSION)
| A number indicating the PAN-OS version of the firewall that generated the log:
CEF field name: PanOSDNSSecuityVersion EMAIL field name: DNSSecurityVersion HTTPS field name: DNSSecurityVersion LEEF field name: DNSSecurityVersion |
record_type
(RECORD TYPE)
| The DNS record type:
Syslog field name: Syslog Field Order CEF field name: PanOSRecordType EMAIL field name: RecordType HTTPS field name: RecordType LEEF field name: RecordType |
source_ip.value
(SOURCE ADDRESS)
| The IP address of the system that made the DNS request. Syslog field name: Syslog Field Order CEF field name: src EMAIL field name: SourceAddress HTTPS field name: SourceAddress LEEF field name: src |
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
CEF field name: suser EMAIL field name: SourceUser HTTPS field name: SourceUser LEEF field name: UsrName |
sub_type.value
(SUB TYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: SubType HTTPS field name: SubType LEEF field name: SubType |
threat_name
(THREAT NAME)
| The name of the threat against which the verdict was made. Syslog field name: Syslog Field Order CEF field name: cat EMAIL field name: ThreatName HTTPS field name: ThreatName LEEF field name: ThreatName |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
total_time_elapsed
(SESSION DURATION)
| The total duration of the network session. CEF field name: cn3 EMAIL field name: SessionDuration HTTPS field name: SessionDuration LEEF field name: SessionDuration |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
Syslog field name: Syslog Field Order CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
verdict.value
(DNS CATEGORY)
| The DNS category verdict for the requested domain, represented by an integer. The integer
represents different categories depending on the value of the
protocol field.If protocol is 1:
If protocol is 2:
Syslog field name: Syslog Field Order CEF field name: PanOSDNSCategory EMAIL field name: DNSCategory HTTPS field name: DNSCategory LEEF field name: EventID |