KQL Search

Query Details

16 CSL Palo Alto Zone Policy Denies

Query

id: d6e7f8a9-b0c1-4d2e-3f4a-5b6c7d8e9f0a
name: "Palo Alto Networks - High-Volume Inter-Zone Policy Denies"
version: 1.0.0
kind: Scheduled
description: |
  Detects high-volume Palo Alto Networks inter-zone policy deny events grouped by policy name
  and zone pair (>50 denies). A spike in denies against a specific policy may indicate a zone
  bypass attempt, misconfigured application, or an attacker testing firewall rules from a
  compromised internal host. Policy names and zone context help distinguish automated tooling
  from legitimate traffic.
  MITRE ATT&CK: T1562 (Impair Defenses), T1046 (Network Service Discovery)
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
  - Discovery
relevantTechniques:
  - T1562
  - T1046
query: |
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceAction in ("deny", "drop", "reset-client", "reset-server", "reset-both",
                           "Reset-Both", "Drop", "Deny")
  | where isnotempty(DeviceCustomString1) or isnotempty(DeviceCustomString2)
  | summarize
      DenyCount        = count(),
      SourceIPs        = make_set(SourceIP, 20),
      DestinationIPs   = make_set(DestinationIP, 20),
      Ports            = make_set(DestinationPort, 10),
      Protocols        = make_set(Protocol, 5),
      PolicyNames      = make_set(DeviceCustomString1, 10),
      SourceZones      = make_set(DeviceCustomString2, 5),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by DeviceCustomString1, DeviceCustomString2, DeviceAction
  | where DenyCount > 50
  | order by DenyCount desc
entityMappings: []
customDetails:
  DenyCount: DenyCount
  DeviceCustomString1: DeviceCustomString1
alertDetailsOverride:
  alertDisplayNameFormat: "Palo Alto Policy Deny Spike - {{DeviceCustomString1}} ({{DenyCount}} denies)"
  alertDescriptionFormat: "Palo Alto policy {{DeviceCustomString1}} generated {{DenyCount}} deny events. High deny volume may indicate zone bypass attempts or firewall rule testing."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - DeviceCustomString1

Explanation

This query is designed to detect high-volume deny events in Palo Alto Networks' inter-zone policies. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where there are more than 50 deny actions in a day, which could indicate potential security issues such as attempts to bypass security zones, misconfigured applications, or attackers testing firewall rules.

  2. Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.

  3. Time Frame: The query looks at logs generated in the last 24 hours.

  4. Filtering Criteria:

    • It focuses on logs from devices by "Palo Alto Networks".
    • It considers actions like "deny", "drop", and various "reset" actions.
    • It ensures that certain custom fields (DeviceCustomString1 and DeviceCustomString2) are not empty.

  5. Data Aggregation:

    • It counts the number of deny actions.
    • It collects sets of source IPs, destination IPs, ports, protocols, policy names, and source zones.
    • It records the first and last time these actions were seen.

  6. Alerting:

    • If the count of deny actions exceeds 50, it triggers an alert.
    • Alerts are sorted by the number of denies in descending order.

  7. Alert Details:

    • The alert is named to indicate a spike in denies for a specific policy.
    • It includes details about the policy and the number of denies.

  8. Incident Management:

    • An incident is created for each alert.
    • Incidents can be grouped if they share the same policy name (DeviceCustomString1).
    • Closed incidents are not reopened if similar alerts occur within a 6-hour window.

Overall, this query helps security teams monitor and respond to unusual deny patterns in network traffic, potentially indicating security threats or misconfigurations.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

PaloAltoNetworksCommonSecurityEventsCommonSecurityLogDeviceVendorDeviceActionDeviceCustomStringSourceIPDestinationIPDestinationPortProtocolPolicyNamesSourceZonesTimeGeneratedDenyCount

Operators

ago()in()isnotempty()summarizecount()make_set()min()max()byorder bydesc

Actions