Palo Alto Networks - Threat Log Events (Spyware, Wildfire, Vulnerability)
08 CSL Palo Alto Threat Logs
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID has_any ("THREAT", "threat", "WILDFIRE-VIRUS", "SPYWARE", "VULNERABILITY")
or Activity has_any ("threat", "wildfire", "spyware", "vulnerability", "virus")
| summarize
HitCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
DestinationURLs = make_set(RequestURL, 10),
SeverityValues = make_set(LogSeverity, 5),
Actions = make_set(DeviceAction, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Activity, DeviceEventClassID
| where HitCount > 5
| order by HitCount descExplanation
This query is designed to monitor and alert on high-frequency threat events detected by Palo Alto Networks firewalls. Here's a simple breakdown:
-
Purpose: The query identifies threat log entries related to malware, spyware, wildfire, vulnerabilities, and viruses that have been triggered more than five times within a 24-hour period. Such frequent events may indicate active threats like malware activity, command and control (C2) communications, or lateral exploitation attempts.
-
Data Source: It uses data from the "CommonSecurityLog" data type, specifically focusing on logs from devices by Palo Alto Networks.
-
Frequency and Period: The query runs every hour and looks at data from the past day (24 hours).
-
Filtering Criteria: It filters logs where the event class ID or activity includes terms like "THREAT," "WILDFIRE-VIRUS," "SPYWARE," or "VULNERABILITY."
-
Aggregation: The query summarizes the data by counting the number of times each type of threat activity occurs, along with collecting related source and destination IPs, URLs, severity levels, actions, and timestamps of the first and last occurrences.
-
Alerting: If any threat activity is detected more than five times, an alert is generated. The alert includes details about the type of threat, the number of occurrences, and a suggestion to review for potential active threats.
-
Severity and Techniques: The severity of these alerts is marked as high, and they are associated with MITRE ATT&CK techniques T1190 (Exploiting Public-Facing Applications) and T1071 (Application Layer Protocol).
-
Incident Management: If an alert is triggered, an incident is created. Incidents can be grouped based on similar activities, but closed incidents will not be reopened.
In summary, this query helps security teams quickly identify and respond to potentially serious threat activities detected by Palo Alto Networks firewalls.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d