Query Details
08 CSL Palo Alto Threat Logs
Query
id: b8c9d0e1-f2a3-4b4c-5d6e-7f8a9b0c1d2e
name: "Palo Alto Networks - Threat Log Events (Spyware, Wildfire, Vulnerability)"
version: 1.0.0
kind: Scheduled
description: |
Surfaces Palo Alto Networks threat log entries for malware, spyware, wildfire, vulnerability,
and virus events that triggered more than 5 times in 24 hours. These events indicate active
threat detection by the firewall's content inspection engine. High-frequency threat events
from a single source often indicate malware activity, active C2 communications, or
lateral exploitation.
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1071 (Application Layer Protocol)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CommandAndControl
relevantTechniques:
- T1190
- T1071
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID has_any ("THREAT", "threat", "WILDFIRE-VIRUS", "SPYWARE", "VULNERABILITY")
or Activity has_any ("threat", "wildfire", "spyware", "vulnerability", "virus")
| summarize
HitCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
DestinationURLs = make_set(RequestURL, 10),
SeverityValues = make_set(LogSeverity, 5),
Actions = make_set(DeviceAction, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Activity, DeviceEventClassID
| where HitCount > 5
| order by HitCount desc
entityMappings: []
customDetails:
HitCount: HitCount
Activity: Activity
DeviceEventClassID: DeviceEventClassID
alertDetailsOverride:
alertDisplayNameFormat: "Palo Alto Threat Alert - {{Activity}} ({{HitCount}} events)"
alertDescriptionFormat: "Palo Alto threat signature {{Activity}} (class: {{DeviceEventClassID}}) fired {{HitCount}} times. Review for active malware, spyware, or vulnerability exploitation."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails:
- Activity
Explanation
This query is designed to monitor and alert on high-frequency threat events detected by Palo Alto Networks firewalls. Here's a simple breakdown:
-
Purpose: The query identifies threat log entries related to malware, spyware, wildfire, vulnerabilities, and viruses that have been triggered more than five times within a 24-hour period. Such frequent events may indicate active threats like malware activity, command and control (C2) communications, or lateral exploitation attempts.
-
Data Source: It uses data from the "CommonSecurityLog" data type, specifically focusing on logs from devices by Palo Alto Networks.
-
Frequency and Period: The query runs every hour and looks at data from the past day (24 hours).
-
Filtering Criteria: It filters logs where the event class ID or activity includes terms like "THREAT," "WILDFIRE-VIRUS," "SPYWARE," or "VULNERABILITY."
-
Aggregation: The query summarizes the data by counting the number of times each type of threat activity occurs, along with collecting related source and destination IPs, URLs, severity levels, actions, and timestamps of the first and last occurrences.
-
Alerting: If any threat activity is detected more than five times, an alert is generated. The alert includes details about the type of threat, the number of occurrences, and a suggestion to review for potential active threats.
-
Severity and Techniques: The severity of these alerts is marked as high, and they are associated with MITRE ATT&CK techniques T1190 (Exploiting Public-Facing Applications) and T1071 (Application Layer Protocol).
-
Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped based on similar activities, but closed incidents will not be reopened.
In summary, this query helps security teams quickly identify and respond to potentially serious threat activities detected by Palo Alto Networks firewalls.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators