Cloud IDS logging information

This page describes the logs created by Cloud IDS threat alerts.

Threat logs

You can view logs generated due to threats in your network in Cloud Logging. The logs use a JSON format with the following fields.

  • threat_id - Unique Palo Alto Networks threat identifier.
  • name - Threat name.
  • alert_severity - Severity of the threat. One of "INFORMATIONAL", "LOW", "MEDIUM", "HIGH" or "CRITICAL".
  • type - Type of the threat.
  • category - Sub-type of the threat.
  • alert_time - Time when the threat was discovered.
  • network - Customer network in which the threat was discovered.
  • source_ip_address - Suspected traffic's source IP Address.
  • destination_ip_address - Suspected traffic's destination IP Address.
  • source_port - Suspected traffic's source port.
  • destination_port - Suspected traffic's destination port.
  • ip_protocol - Suspected traffic's IP protocol.
  • application - Suspected traffic's application type (e.g. SSH).
  • direction - Suspected traffic's direction (client-to-server or server-to-client).
  • session_id - An internal numerical identifier applied to each session.
  • repeat_count - Number of sessions with the same source IP, destination IP, application, and type seen within 5 seconds.
  • uri_or_filename - URI or filename of the relevant threat, if applicable.
  • details - Additional information on the type of threat, taken from Palo Alto Networks' ThreatVault.

The previous JSON fields are nested under the log's jsonPayload field. The log name for threat logs is projects/<consumer-project>/logs/ids.googleapis.com%2Fthreat.

In addition, the log's labels.id field contains the Cloud IDS endpoint's name, and its resource.type field is ids.googleapis.com/Endpoint.

Sample query

This query in Cloud Logging queries the IDS threat log in cloud project my-project", returning all threats reported by the my-endpoint endpoint between 8am-9am on April 4th, 2021, PST time (-07 timezone offset), where the threat's severity was marked HIGH.

logName="projects/my-project/logs/ids.googleapis.com%2Fthreat"
   AND resource.type="ids.googleapis.com/Endpoint"
   AND resource.labels.id="my-endpoint"
   AND timestamp >= "2021-04-18T08:00:00-07"
   AND timestamp <= "2021-04-18T09:00:00-07"
   AND jsonPayload.alert_severity=("HIGH" OR "CRITICAL")

Retention policy

Retention is determined by the storage buckets in which the logs are located. By default, logs are placed in the _Default bucket, and by default this bucket has a retention policy of 30 days.

You can choose to filter logs to different buckets. In addition, retention is configurable.

If you want a different retention policy than the default 30 days, you can do one of the following:

  • Filter all logs into another bucket and configure a retention policy.
  • Configure a custom retention policy for the _Default bucket. Note that this will affect all other logs in the _Default bucket.

Traffic logs

You can view logs generated due to network traffic in Cloud Logging. The logs use a JSON format with the following fields.

  • start_time - The time of the session start.
  • elapsed_time - The elapsed time of the session.
  • network - The network associated with the IDS endpoint.
  • source_ip_address - The source IP Address of the packet.
  • source_port - The source port of the traffic.
  • destination_ip_address - The destination IP Address of the packet.
  • destination_port - The destination port of the traffic.
  • ip_protocol - The IP protocol of the packet.
  • application - The application associated with the session.
  • session_id - An internal numerical identifier applied to each session.
  • repeat_count - The number of sessions with the same source IP, destination IP, application, and type seen within 5 seconds.
  • total_bytes - The total number of bytes transferred in the session.
  • total_packets - The total number of packets trasferred in the session.