KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Palo Alto Firewall Exploits

Query

// Detecting Palo Alto Firewall Exploits
// https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/

let GreyNoiseIPs = dynamic(["193.143.1.65", "49.15.245.66", "146.190.147.92", "64.39.98.72", "14.145.63.144", "45.61.139.121", "72.5.42.10", "85.239.56.148", "62.204.35.249", "38.54.50.252", "43.157.45.216", "47.190.9.241", "43.159.135.197", "198.12.122.248", "139.87.112.3", "123.116.247.134", "38.54.101.65", "84.17.43.35", "1.55.112.205", "196.251.89.129", "85.31.231.183", "46.246.9.213", "194.233.96.86", "198.23.171.159", "45.88.222.89", "161.81.158.136", "93.115.0.34", "199.19.95.31", "193.27.90.90", "172.86.84.84", "47.89.242.61", "149.88.26.226", "34.121.207.116", "104.131.69.106"]);
CommonSecurityLog
| where TimeGenerated > ago(10d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "PAN-OS"
| where SourceIP has_any(GreyNoiseIPs)
| summarize AttackCount=count() by SourceIP, DeviceAction
| sort by DeviceAction asc

Explanation

This query is designed to detect potential exploits targeting Palo Alto Networks firewalls. Here's a simplified explanation of what it does:

  1. GreyNoiseIPs List: It starts by defining a list of suspicious IP addresses known for malicious activity.

  2. Data Source: It looks at security logs from devices where the vendor is "Palo Alto Networks" and the product is "PAN-OS."

  3. Time Frame: It filters the logs to only include entries from the last 10 days.

  4. IP Filtering: It further filters these logs to only include entries where the source IP address matches any of the IPs in the GreyNoiseIPs list.

  5. Summarization: For each matching log entry, it counts the number of attacks (or events) and groups them by the source IP address and the action taken by the device (DeviceAction).

  6. Sorting: Finally, it sorts the results by the action taken by the device in ascending order.

In essence, this query helps identify and count recent suspicious activities from known malicious IPs targeting Palo Alto firewalls, categorized by the action the firewall took in response.

Details

Steven Lim profile picture

Steven Lim

Released: February 21, 2025

Tables

CommonSecurityLog

Keywords

PaloAltoNetworksPANOSSourceIPDeviceVendorDeviceProductTimeGeneratedDeviceActionAttackCount

Operators

letdynamicCommonSecurityLogwhereagohas_anysummarizecountbysortasc

Actions