View threat logs
Before you begin
Verify that the following have been completed before you view DNS threat logs:
- EnabletheNetwork Security APIin your project.
- Verify that you have the
DNS Threat Detector Viewerrole.
Threat logs are written to Cloud Logging and can result in additionalstorage costs. SeeUse logging and monitoring: PricingorPricing for Google Cloud Observability: Cloud Logging.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor the following IAM roles.
Permissions
resourcemanager.projects.getresourcemanager.projects.listnetworksecurity.dnsThreatDetectors.getnetworksecurity.dnsThreatDetectors.list
Roles
roles/networksecurity.dnsThreatDetectorViewerroles/logging.viewer
View threat logs
You can view logs in the Google Cloud console.
Each log entry includes details to identify the corresponding DNS query andthreat.
Console
In the Google Cloud console, go to theLogs Explorer page.
Filter the logs for
networksecurity.googleapis.com/DnsThreatDetector.
Threat log record fields
Every threat log has the following fields.
| Name | Type | Description |
|---|---|---|
detectionTime | string | Time when the threat is detected in UTC. The timestamp is in ISO 8601 format. |
dnsQuery | DnsLog | Cloud DNS Log format. |
partnerId | string | Unique partner identifier. |
threatInfo | threatInfo | The details of threat detected. |
Threat info field
The following table describes the format of thethreatInfo field.
| Name | Type | Description |
|---|---|---|
threatID | string | Unique threat identifier. |
threat | string | The name of the threat detected. |
threatDescription | string | A detailed description of the threat detected. |
category | string | The subtype of the threat detected. |
type | string | The type of the threat detected. For example, DNS_Tunnel, DGA (Domain Generation Algorithms), or C2 (Command and Control). |
severity | string | The severity, (High, Medium, Low, or Info), associated with the threat detected. For more information, see Infoblox's Severity Level Definition. |
confidence | string | Confidence of the threat prediction (high, medium, low). For more information, see Infoblox's Confidence Level Definition. |
threatFeed | string | Threat feed that triggered this threat alert. |
indicatorType | string | The type of indicator that triggered this threat alert. For example,URL, IP, Hash, or Host. |
threatIndicator | string | The threat indicator that triggered this alert. |
DNS Query field
The following table describes the format of theDnsQuery field.
| Name | Type | Description |
|---|---|---|
projectNumber | string | Source project number. |
location | string | Google Cloud region, for exampleus-east1, from which the response was served. |
queryName | string | DNS query name,RFC 1035 4.1.2. |
queryType | string | DNS query type,IANA DNS Parameters: Resource Record (RR) TYPEs. |
responseCode | string | Response code,IANA DNS Parameters: DNS RCODEs. |
rdata | string | DNS answer in presentation format,IANA DNS Parameters: Resource Record (RR) TYPEs, truncated to 260 bytes. |
authAnswer | string | Authoritative answer,IANA DNS Parameters: DNS Header Flags. |
sourceIp | string | IP originating the query. |
destinationIp | string | Target IP address, only applicable for forwarding cases. |
protocol | string | TCP orUDP. |
queryTime | string | Timestamp for when the DNS query was sent. |
vmInstanceId | string | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. |
vmProjectNumber | string | Google Cloud project ID of the network from which the query was sent,only applicable to queries initiated by Compute Engine VM instances. |
serverlessInstanceId | string | Serverless instance ID from which the query was sent, only applicableto queries initiated by Serverless. |
What's next
Learn more about how toUse logging and monitoring, including how to enable logging for your VPC networks.
Learn more aboutAdvanced threat detection.
To find solutions for common issues that you might encounter when usingthreat monitoring, seeTroubleshooting.
To learn how to be alerted when a threat is detected, seeAlerting overview.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.