Verify that the following have been completed before you view DNS threat logs:
DNS Threat Detector Viewer role.Threat logs are written to Cloud Logging and can result in additional storage costs. See Use logging and monitoring: Pricing or Pricing for Google Cloud Observability: Cloud Logging.
To perform this task, you must have been granted the following permissions or the following IAM roles.
Permissions
resourcemanager.projects.getresourcemanager.projects.listnetworksecurity.dnsThreatDetectors.getnetworksecurity.dnsThreatDetectors.list
Roles
roles/networksecurity.dnsThreatDetectorViewerroles/logging.viewerYou can view logs in the Google Cloud console.
Each log entry includes details to identify the corresponding DNS query and threat.
In the Google Cloud console, go to the Logs Explorer page.
Filter the logs for networksecurity.googleapis.com/DnsThreatDetector.
Every threat log has the following fields.
| Name | Type | Description |
|---|---|---|
detectionTime |
string | Time when the threat is detected in UTC. The timestamp is in ISO 8601 format. |
dnsQuery |
DnsLog | Cloud DNS Log format. |
partnerId |
string | Unique partner identifier. |
threatInfo |
threatInfo | The details of threat detected. |
The following table describes the format of the threatInfo field.
| Name | Type | Description |
|---|---|---|
threatID |
string | Unique threat identifier. |
threat |
string | The name of the threat detected. |
threatDescription |
string | A detailed description of the threat detected. |
category |
string | The subtype of the threat detected. |
type |
string | The type of the threat detected. For example, DNS_Tunnel, DGA (Domain Generation Algorithms), or C2 (Command and Control). |
severity |
string | The severity, (High, Medium, Low, or Info), associated with the threat detected. For more information, see Infoblox's Severity Level Definition. |
confidence |
string | Confidence of the threat prediction (high, medium, low). For more information, see Infoblox's Confidence Level Definition. |
threatFeed |
string | Threat feed that triggered this threat alert. |
indicatorType |
string | The type of indicator that triggered this threat alert. For example, URL, IP, Hash, or Host. |
threatIndicator |
string | The threat indicator that triggered this alert. |
The following table describes the format of the DnsQuery field.
| Name | Type | Description |
|---|---|---|
projectNumber |
string | Source project number. |
location |
string | Google Cloud region, for example us-east1, from
which the response was served. |
queryName |
string | DNS query name, RFC 1035 4.1.2. |
queryType |
string | DNS query type, IANA DNS Parameters: Resource Record (RR) TYPEs. |
responseCode |
string | Response code, IANA DNS Parameters: DNS RCODEs. |
rdata |
string | DNS answer in presentation format, IANA DNS Parameters: Resource Record (RR) TYPEs, truncated to 260 bytes. |
authAnswer |
string | Authoritative answer, IANA DNS Parameters: DNS Header Flags. |
sourceIp |
string | IP originating the query. |
destinationIp |
string | Target IP address, only applicable for forwarding cases. |
protocol |
string | TCP or UDP. |
queryTime |
string | Timestamp for when the DNS query was sent. |
vmInstanceId |
string | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. |
vmProjectNumber |
string | Google Cloud project ID of the network from which the query was sent, only applicable to queries initiated by Compute Engine VM instances. |
serverlessInstanceId |
string | Serverless instance ID from which the query was sent, only applicable to queries initiated by Serverless. |
Learn more about how to Use logging and monitoring, including how to enable logging for your VPC networks.
Learn more about Advanced threat detection.
To find solutions for common issues that you might encounter when using threat monitoring, see Troubleshooting.
To learn how to be alerted when a threat is detected, see Alerting overview.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-09 UTC.