Advanced DNS Security Powered by Precision AI™
View DNS Security Logs
Table of Contents
View DNS Security Logs
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
You can browse, search, and view DNS Security
logs that are automatically generated when DNS Security encounters
a qualifying event. Typically, this includes any domain category
that DNS Security analyzes unless it is specifically configured
with a log severity level of none. Log entries provide numerous
details about the event, including the threat level and, if applicable,
the nature of threat.
DNS Security logs are accessible directly on the firewall or through
Strata Logging Service
-based log viewers (AIOps for NGFW Free
, Cloud Management
, Strata Logging Service
, etc). While the firewall allows you to access malicious
threat log entries that are generated when users make DNS queries, benign DNS requests
are not recorded. DNS Security data is also forwarded to Strata Logging Service
through log forwarding (as threat logs) and DNS Security telemetry (as DNS
Security logs), which are then referenced by various activity log viewer applications.
DNS Security telemetry operates with minimal overhead, which limits the amount of data
sent to Strata Logging Service
; as a result, only a subset of DNS queries are
forwarded to Strata Logging Service
as DNS Security log entries, regardless of
the severity level, threat type, or category. The threat logs for malicious DNS requests
that are forwarded to Strata Logging Service
using log forwarding are available
in their entirety. As a result, Palo Alto Networks recommends viewing logs for malicious
DNS requests as threat logs instead of DNS Security logs.View DNS Security Logs (Strata Cloud Manager)
Strata Cloud Manager
)Benign DNS queries that have been analyzed by DNS Security are not displayed in the log viewer.
Log in to your
Strata Logging Service
app to access benign DNS log
entries.- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Cloud Manageron the hub.
- Search for DNS queries that have been processed using DNS Security.
- Select .
- Constrain your search using the threat filter and submit a log query based on the DNS category, for example,threat_category.value = 'dns-c2'to view logs that have been determined to be a C2 domain. To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc). Adjust the search criteria as necessary for your search, including additional query parameters (such as the severity level and subtype) along with a date range.
![]()
- Select a log entry to view the details of a detected DNS threat.
- The threatCategoryis displayed in theGeneralpane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
![]()
- For DNS tunneling domains, including tunneling-based APTs (advanced persistent threats), you can view the tunneling tools and attack campaigns associated with the domain. This is reflected in the Threat ID/Name field for the log entry for a DNS tunnel domain. The Threat ID/Name for DNS tunnel domains use the following format:Tunneling:<tool_name>,<tool_name>,<tool_name>,...:<domain_name>, whereby thetool_namerefers to the DNS tunneling tools used to embed data into the DNS queries and responses, but also the cyber threat campaign name, in a comma-separated list. These campaigns can be industry accepted incidents and use the same naming conventions or might be one identified and named by Palo Alto Networks and described in the Unit 42 Threat Research blogs. A blog of such a campaign, in this case, one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling for Tracking and Scanning.The DNS tunnel attribution might produce the associated tool and campaign entries some time after the initial DNS tunnel detection has completed. In this instance, only the domain name is initially specified alongside the DNS tunnel category. When the DNS tunnel attribution component finishes, the complete details will display as expected in the Threat ID/Name field, including any DNS tunneling tools and campaigns.
View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))
NGFW (Managed by PAN-OS or Panorama)
)- Search for activity on the firewall for queries that have been processed using DNS Security.
- Select and filter based on the DNS category.Consider the following examples:
- ( category-of-threatid eq dns-c2 )to view logs that have been determined to be a C2 domain by DNS Security.
- ( category-of-threatid eq adns-hijacking ), whereby the variableadns-hijackingindicates DNS queries that have been categorized as a malicious DNS hijacking attempt by Advanced DNS Security.
To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc).![]()
- Select a log entry to view the details of a detected DNS threat.
- The threatCategoryis displayed in theDetailspane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
![]()
- For DNS tunneling domains, including tunneling-based APTs (advanced persistent threats), you can view the tunneling tools and attack campaigns associated with the domain. This is reflected in the Threat ID/Name field for the log entry for a DNS tunnel domain. The Threat ID/Name for DNS tunnel domains use the following format:Tunneling:<tool_name>,<tool_name>,<tool_name>,...:<domain_name>, whereby thetool_namerefers to the DNS tunneling tools used to embed data into the DNS queries and responses, but also the cyber threat campaign name, in a comma-separated list. These campaigns can be industry accepted incidents and use the same naming conventions or might be one identified and named by Palo Alto Networks and described in the Unit 42 Threat Research blogs. A blog of such a campaign, in this case, one leveraging DNS tunneling techniques, can be found here: Leveraging DNS Tunneling for Tracking and Scanning.The DNS tunnel attribution might produce the associated tool and campaign entries some time after the initial DNS tunnel detection has completed. In this instance, only the domain name is initially specified alongside the DNS tunnel category. When the DNS tunnel attribution component finishes, the complete details will display as expected in the Threat ID/Name field, including any DNS tunneling tools and campaigns.
![]()
View DNS Security Logs (AIOps for NGFW Free)
AIOps for NGFW Free
)Benign DNS queries that have been analyzed by DNS Security are not displayed in the
AIOps for NGFW Free
log viewer. Log in to your Strata Logging Service
app to access benign DNS log entries.- Use the credentials associated with your Palo Alto Networks support account and log in to theAIOps for NGFW Freeapplication on the hub.
- Search for DNS queries that have been processed using DNS Security inAIOps for NGFW Free.
- Select .
- Constrain your search using the threat filter and submit a log query based on the DNS category, for example,threat_category.value = 'dns-c2'to view logs that have been determined to be a C2 domain. To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc). Adjust the search criteria as necessary for your search, including additional query parameters (such as the severity level and subtype) along with a date range.
- Select a log entry to view the details of a detected DNS threat.
- The threatCategoryis displayed in theDetailspane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.
View DNS Security Logs (Strata Logging Service)
Strata Logging Service
)- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Logging Serviceapplication on the hub.
- Allocate Storage Based on Log Type. If storage space has not been allocated for DNS Security logs onStrata Logging Service, logging entries will not be viewable throughStrata Logging Service.
- Search for DNS queries that have been processed using DNS Security inStrata Logging Service.
- SelectExploreto open theStrata Logging Servicelog viewer.
- Constrain your search using the threat filter and submit a log query based on the DNS category, for example,threat_category.value = 'dns-c2'to view logs that have been determined to be a C2 domain. To search for other DNS types, replace c2 with another supported DNS category (ddns, parked, malware, etc). Adjust the search criteria as necessary for your search, including additional query parameters (such as the severity level and subtype) along with a date range.
- Select a log entry to view the details of a detected DNS threat.
- The threatCategoryis displayed in theDetailspane of the detailed log view. Other relevant details about the threat are displayed in their corresponding windows.