Query Details

Palo Alto Networks - High-Volume Inter-Zone Policy Denies

16 CSL Palo Alto Zone Policy Denies

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceAction in ("deny", "drop", "reset-client", "reset-server", "reset-both",
                         "Reset-Both", "Drop", "Deny")
| where isnotempty(DeviceCustomString1) or isnotempty(DeviceCustomString2)
| summarize
    DenyCount        = count(),
    SourceIPs        = make_set(SourceIP, 20),
    DestinationIPs   = make_set(DestinationIP, 20),
    Ports            = make_set(DestinationPort, 10),
    Protocols        = make_set(Protocol, 5),
    PolicyNames      = make_set(DeviceCustomString1, 10),
    SourceZones      = make_set(DeviceCustomString2, 5),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by DeviceCustomString1, DeviceCustomString2, DeviceAction
| where DenyCount > 50
| order by DenyCount desc

Explanation

This query is designed to detect high-volume deny events in Palo Alto Networks' inter-zone policies. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where there are more than 50 deny actions in a day, which could indicate potential security issues such as attempts to bypass security zones, misconfigured applications, or attackers testing firewall rules.

  2. Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.

  3. Time Frame: The query looks at logs generated in the last 24 hours.

  4. Filtering Criteria:

    • It focuses on logs from devices by "Palo Alto Networks".
    • It considers actions like "deny", "drop", and various "reset" actions.
    • It ensures that certain custom fields (DeviceCustomString1 and DeviceCustomString2) are not empty.
  5. Data Aggregation:

    • It counts the number of deny actions.
    • It collects sets of source IPs, destination IPs, ports, protocols, policy names, and source zones.
    • It records the first and last time these actions were seen.
  6. Alerting:

    • If the count of deny actions exceeds 50, it triggers an alert.
    • Alerts are sorted by the number of denies in descending order.
  7. Alert Details:

    • The alert is named to indicate a spike in denies for a specific policy.
    • It includes details about the policy and the number of denies.
  8. Incident Management:

    • An incident is created for each alert.
    • Incidents can be grouped if they share the same policy name (DeviceCustomString1).
    • Closed incidents are not reopened if similar alerts occur within a 6-hour window.

Overall, this query helps security teams monitor and respond to unusual deny patterns in network traffic, potentially indicating security threats or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

PaloAltoNetworksCommonSecurityEventsLogDeviceVendorActionCustomStringSourceIPDestinationPortProtocolPolicyNamesZonesTimeGeneratedDenyCount

Operators

ago()in()isnotempty()summarizecount()make_set()min()max()byorder bydesc

Severity

Medium

Tactics

DefenseEvasionDiscovery

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub