Palo Alto Networks - High-Volume Inter-Zone Policy Denies
16 CSL Palo Alto Zone Policy Denies
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceAction in ("deny", "drop", "reset-client", "reset-server", "reset-both",
"Reset-Both", "Drop", "Deny")
| where isnotempty(DeviceCustomString1) or isnotempty(DeviceCustomString2)
| summarize
DenyCount = count(),
SourceIPs = make_set(SourceIP, 20),
DestinationIPs = make_set(DestinationIP, 20),
Ports = make_set(DestinationPort, 10),
Protocols = make_set(Protocol, 5),
PolicyNames = make_set(DeviceCustomString1, 10),
SourceZones = make_set(DeviceCustomString2, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceCustomString1, DeviceCustomString2, DeviceAction
| where DenyCount > 50
| order by DenyCount descExplanation
This query is designed to detect high-volume deny events in Palo Alto Networks' inter-zone policies. Here's a simplified breakdown:
-
Purpose: The query identifies instances where there are more than 50 deny actions in a day, which could indicate potential security issues such as attempts to bypass security zones, misconfigured applications, or attackers testing firewall rules.
-
Data Source: It uses data from the "CommonSecurityLog" provided by the "CommonSecurityEvents" connector.
-
Time Frame: The query looks at logs generated in the last 24 hours.
-
Filtering Criteria:
- It focuses on logs from devices by "Palo Alto Networks".
- It considers actions like "deny", "drop", and various "reset" actions.
- It ensures that certain custom fields (DeviceCustomString1 and DeviceCustomString2) are not empty.
-
Data Aggregation:
- It counts the number of deny actions.
- It collects sets of source IPs, destination IPs, ports, protocols, policy names, and source zones.
- It records the first and last time these actions were seen.
-
Alerting:
- If the count of deny actions exceeds 50, it triggers an alert.
- Alerts are sorted by the number of denies in descending order.
-
Alert Details:
- The alert is named to indicate a spike in denies for a specific policy.
- It includes details about the policy and the number of denies.
-
Incident Management:
- An incident is created for each alert.
- Incidents can be grouped if they share the same policy name (DeviceCustomString1).
- Closed incidents are not reopened if similar alerts occur within a 6-hour window.
Overall, this query helps security teams monitor and respond to unusual deny patterns in network traffic, potentially indicating security threats or misconfigurations.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 1h
Period: 1d