Strata Logging Service
DNS Security
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
DNS Security
DNS Security logs contain information that the DNS Security service collects, such as server
response and request information based on your firewall security policy rules,
associated action, and the DNS query details when performing domain lookups.
See the following for information related to supported log formats:
|
DNS SECURITY Field
(Display Name)
|
Description
|
|---|---|
|
action.value
(ACTION)
|
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action
|
|
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Strata Logging Service instance which
received this log record.
CEF field name: PanOSCortexDataLakeTenantID
EMAIL field name: CortexDataLakeTenantId
HTTPS field name: CortexDataLakeTenantId
LEEF field name: CortexDataLakeTenantId
|
|
dest_ip.value
(DNS RESOLVER IP)
|
The IP address of the DNS resolver.
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSResolverIP
EMAIL field name: DNSResolverIP
HTTPS field name: DNSResolverIP
LEEF field name: DNSResolverIP
|
|
dns_response
(DNS RESPONSE)
|
The IP address that the domain in the DNS query got resolved to.
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSResponse
EMAIL field name: DNSResponse
HTTPS field name: DNSResponse
LEEF field name: DNSResponse
|
|
dns_response_code
(DNS RESPONSE CODE)
|
The IP address that the domain in the DNS query got resolved to.
CEF field name: PanOSDNSResponseCode
EMAIL field name: DNSResponseCode
HTTPS field name: DNSResponseCode
LEEF field name: DNSResponseCode
|
|
dst_user
(DESTINATION USER)
|
The username of the user to which the session was destined.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser
|
|
dst_zone
(TO ZONE)
|
The networking zone the session was destined to.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone
|
|
from_zone
(FROM ZONE)
|
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone
|
|
gtid
(THREAT ID)
|
The Global Threat ID of the requested domain. If there is a threat signature associated
with the DNS request, this is a Palo Alto Networks threat ID.
Syslog field name: Syslog Field Order
CEF field name: PanOSThreatID
EMAIL field name: ThreatID
HTTPS field name: ThreatID
LEEF field name: ThreatID
|
|
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
|
|
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
|
|
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
|
|
log_time
(TIME RECEIVED)
|
Time the log was received in Strata Logging Service. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
|
|
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: DeviceEventClassID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
|
|
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
|
|
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
|
|
protocol
(DNS SECURITY VERSION)
|
A number indicating the PAN-OS version of the firewall that generated the log:
CEF field name: PanOSDNSSecuityVersion
EMAIL field name: DNSSecurityVersion
HTTPS field name: DNSSecurityVersion
LEEF field name: DNSSecurityVersion
|
|
record_type
(RECORD TYPE)
|
The DNS record type:
Syslog field name: Syslog Field Order
CEF field name: PanOSRecordType
EMAIL field name: RecordType
HTTPS field name: RecordType
LEEF field name: RecordType
|
|
source_ip.value
(SOURCE ADDRESS)
|
The IP address of the system that made the DNS request.
Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src
|
|
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: UsrName
|
|
sub_type.value
(SUB TYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: SubType
HTTPS field name: SubType
LEEF field name: SubType
|
|
threat_name
(THREAT NAME)
|
The name of the threat against which the verdict was made.
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: ThreatName
HTTPS field name: ThreatName
LEEF field name: ThreatName
|
|
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
|
|
total_time_elapsed
(SESSION DURATION)
|
The total duration of the network session.
CEF field name: cn3
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration
|
|
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
Syslog field name: Syslog Field Order
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
|
|
verdict.value
(DNS CATEGORY)
|
The DNS category verdict for the requested domain, represented by an integer. The integer
represents different categories depending on the value of the
protocol field.
If protocol is 1:
If protocol is 2:
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSCategory
EMAIL field name: DNSCategory
HTTPS field name: DNSCategory
LEEF field name: EventID
|