Threat logs

Threat logs let you audit, verify, and analyze the threats detected in your network.

When Cloud Next Generation Firewall detects a threat on the traffic being monitored for Layer 7 inspection, it generates a log entry in the originating project with the details of the threat. To view and examine the threat logs, in the Logs Explorer, search for the log networksecurity.googleapis.com/firewall_threat. You can also view these threat logs on the Threats page.

This page explains the format and structure of the threat logs that are generated when a threat is detected.

Threat log format

Cloud NGFW creates a log record entry in Cloud Logging for each threat detected on the monitored traffic to or from a virtual machine (VM) instance in a specific zone. Log records are included in the JSON payload field of a LogEntry.

Some log fields are in a multiple-field format, with more than one piece of data in a given field. For example, the connection field is of the Connection format, which contains the server IP address and port, the client IP address and port, and the protocol number in a single field.

The following table describes the format of the threat log fields.

Field Type Description
connection Connection A 5-tuple that describes the connection parameters associated with the traffic where the threat is detected.
action string The action performed on the packet where the threat is detected. This action can either be the default action or the override action specified in the security profile.
threatDetails ThreatDetails The details of the threat detected.
securityProfileGroupDetails SecurityProfileGroupDetails The details of the security profile group applied to the intercepted traffic.
interceptVpc VpcDetails The details of the Virtual Private Cloud (VPC) network associated with the VM instance where the threat is detected.

Connection field format

The following table describes the format of the Connection field.

Field Type Description
clientIp string The client IP address. If the client is a Compute Engine VM, clientIp is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown. The logs show the IP address of the VM instance as observed on the packet header, similar to the TCP dump on the VM instance.
clientPort integer The client port number.
serverIp string The server IP address. If the server is a Compute Engine VM, serverIp is either the primary internal IP address or an address in an alias IP range of the VM's network interface. The external IP address is not shown even if it is used in making the connection.
serverPort integer The server port number.
protocol string The IP protocol of the connection.

ThreatDetails field format

The following table describes the format of the ThreatDetails field.

Field Type Description
id string The unique Palo Alto Networks threat identifier.
threat string The name of the threat detected.
description string A detailed description of the threat detected.
direction string The direction of the traffic. For example, client_to_server or server_to_client.
severity string The severity associated with the threat detected. For more information, see Threat severity levels.
detectionTime string The time when the threat is detected.
category string The subtype of the threat detected. For example, CODE_EXECUTION.
uriOrFilename string The URI or filename of the relevant threat (if applicable).
type string The type of the threat detected. For example, SPYWARE.
repeatCount integer The number of sessions with the same client IP address, server IP address, and threat type seen within five seconds.
cves string A list of Common Vulnerabilities and Exposure (CVEs) associated with the threat. For example, CVE-2021-44228-Apache Log4j remote code execution vulnerability.

SecurityProfileGroupDetails field format

The following table describes the format of the SecurityProfileGroupDetails field.

Field Type Description
securityProfileGroupId string The security profile group name that is applied to the traffic.
organizationId integer The organization ID that the VM instance belongs to.

VpcDetails field format

The following table describes the format of the VpcDetails field.

Field Type Description
vpc string The name of the VPC network associated with the intercepted traffic.
projectId string The name of the Google Cloud project associated with the VPC network.

What's next