Threat logs let you audit, verify, and analyze the threats detected in your network.
When Cloud Next Generation Firewall detects a threat on the traffic being
monitored for Layer 7 inspection, it generates a log entry
in the originating project with the details of the threat. To view and examine
the threat logs, in the Logs Explorer,
search for the log networksecurity.googleapis.com/firewall_threat.
You can also view these threat logs on the Threats page.
This page explains the format and structure of the threat logs that are generated when a threat is detected.
Threat log format
Cloud NGFW creates a log record entry in Cloud Logging for each threat detected on the monitored traffic to or from a virtual machine (VM) instance in a specific zone. Log records are included in the JSON payload field of a LogEntry.
Some log fields are in a multiple-field format, with more than one piece of data
in a given field. For example, the connection field is of the Connection
format, which contains the server IP address and port, the client IP address
and port, and the protocol number in a single field.
The following table describes the format of the threat log fields.
| Field | Type | Description |
|---|---|---|
connection
|
Connection
|
A 5-tuple that describes the connection parameters associated with the traffic where the threat is detected. |
action
|
string
|
The action performed on the packet where the threat is detected. This action can either be the default action or the override action specified in the security profile. For more information about default actions, see Default signature set. |
threatDetails
|
ThreatDetails
|
The details of the threat detected. |
securityProfileGroupDetails
|
SecurityProfileGroupDetails
|
The details of the security profile group applied to the intercepted traffic. |
interceptVpc
|
VpcDetails
|
The details of the Virtual Private Cloud (VPC) network associated with the VM instance where the threat is detected. |
Connection field format
The following table describes the format of the Connection field.
| Field | Type | Description |
|---|---|---|
clientIp
|
string
|
The client IP address. If the client is a Compute Engine VM, clientIp is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown. The logs show the IP address of the VM instance as observed on the packet header, similar to the TCP dump on the VM instance.
|
clientPort
|
integer
|
The client port number. |
serverIp
|
string
|
The server IP address. If the server is a Compute Engine VM, serverIp is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown even if it is used in making the connection.
|
serverPort
|
integer
|
The server port number. |
protocol
|
string
|
The IP protocol of the connection. |
ThreatDetails field format
The following table describes the format of the ThreatDetails field.
| Field | Type | Description |
|---|---|---|
id
|
string
|
The unique Palo Alto Networks threat identifier. |
threat
|
string
|
The name of the threat detected. |
description
|
string
|
A detailed description of the threat detected. |
direction
|
string
|
The direction of the traffic. For example, client_to_server or server_to_client.
|
severity
|
string
|
The severity associated with the threat detected. For more information, see Threat severity levels. |
detectionTime
|
string
|
The time when the threat is detected. |
category
|
string
|
The subtype of the threat detected. For example, CODE_EXECUTION.
|
uriOrFilename
|
string
|
The URI or filename of the relevant threat (if applicable). |
type
|
string
|
The type of the threat detected. For example, SPYWARE.
|
repeatCount
|
integer
|
The number of sessions with the same client IP address, server IP address, and threat type seen within five seconds. |
cves
|
string
|
A list of Common Vulnerabilities and Exposure (CVEs) associated with the threat. For example, CVE-2021-44228-Apache Log4j remote code execution vulnerability.
|
SecurityProfileGroupDetails field format
The following table describes the format of the SecurityProfileGroupDetails
field.
| Field | Type | Description |
|---|---|---|
securityProfileGroupId
|
string
|
The security profile group name that is applied to the traffic. |
organizationId
|
integer
|
The organization ID that the VM instance belongs to. |
VpcDetails field format
The following table describes the format of the VpcDetails field.
| Field | Type | Description |
|---|---|---|
vpc
|
string
|
The name of the VPC network associated with the intercepted traffic. |
projectId
|
string
|
The name of the Google Cloud project associated with the VPC network. |