DNS Security logs are accessible directly on the firewall or
through CDL-based log viewers (AIOps, Prisma Access, CDL, etc).
While the firewall allows you to access malicious threat log entries
that are generated when users make DNS queries, benign DNS requests
are not recorded. DNS Security data is also forwarded to Cortex
Data Lake through log forwarding (as threat logs) and
DNS Security telemetry (as
DNS Security logs), which are then referenced by various Activity
log viewer applications. DNS Security telemetry operates with minimal
overhead, which limits the amount of data sent to CDL; as a result,
only a subset of DNS queries are forwarded to CDL as DNS Security
log entries, regardless of the severity level, threat type, or category.
The threat logs for malicious DNS requests that are forwarded to
CDL using log forwarding are available in their entirety. As a result,
Palo Alto Networks recommends viewing logs for malicious DNS requests
as threat logs instead of DNS Security logs.