Query Details
Palo Alto Stops
Query
//You can create an Analytics Rule with the following to alert when Palo Alto data stops flowing.
CommonSecurityLog
| where TimeGenerated > ago(2h)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct has "PAN-OS"
| summarize count()
where count_ == 0
Explanation
This query looks for a specific type of log data called "CommonSecurityLog" and checks if there has been any activity from Palo Alto Networks devices in the past 2 hours. If there is no activity, it will generate an alert.
Details
Rod Trent
Released: January 3, 2023
Tables
CommonSecurityLog
Keywords
CommonSecurityLog,TimeGenerated,DeviceVendor,PaloAltoNetworks,DeviceProduct,PAN-OS,count_
Operators
where|>ago()==hassummarizecount()