-
Notifications
You must be signed in to change notification settings - Fork 7
/
Splunk Palo Alto Search Queries.txt
326 lines (249 loc) · 9.67 KB
/
Splunk Palo Alto Search Queries.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
Top source IPs generating the most traffic:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 src_ip
Top destination IPs receiving the most traffic:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 dest_ip
Top applications used on the network:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 app
Top blocked applications:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 app
Top threats detected by the firewall:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 threatid
Firewall traffic volume over time:
index=SecnNetPAFW sourcetype=pan:traffic
| timechart count by action
Top users generating the most traffic:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 user
Top protocols used in the network:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 protocol
Traffic volume by destination port:
index=SecnNetPAFW sourcetype=pan:traffic
| top limit=10 dest_port
Top threat categories:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 category
Threat events over time:
index=SecnNetPAFW sourcetype=pan:threat
| timechart count by severity
Traffic events by action and rule:
index=SecnNetPAFW sourcetype=pan:traffic
| stats count by action, rule
Top source and destination IP pairs:
index=SecnNetPAFW sourcetype=pan:traffic
| stats count by src_ip, dest_ip
| sort -count
| head 10
Top inbound and outbound traffic by zone:
index=SecnNetPAFW sourcetype=pan:traffic
| stats sum(bytes) by src_zone, dest_zone
Top countries by source IP address:
index=SecnNetPAFW sourcetype=pan:traffic
| iplocation src_ip
| top limit=10 Country
Top countries by destination IP address:
index=SecnNetPAFW sourcetype=pan:traffic
| iplocation dest_ip
| top limit=10 Country
Firewall traffic by source and destination zone:
index=SecnNetPAFW sourcetype=pan:traffic
| stats count by src_zone, dest_zone
Events with high severity threats:
index=SecnNetPAFW sourcetype=pan:threat severity=high
| table _time, src_ip, dest_ip, threatid, category
Blocked traffic events by application category:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 app_category
Top URLs by user:
index=SecnNetPAFW sourcetype=pan:url
| top limit=10 url by user
Connection attempts to potentially malicious destinations:
index=SecnNetPAFW sourcetype=pan:traffic dest_ip IN (1.2.3.4, 5.6.7.8)
| stats count by src_ip, dest_ip
*****Replace the IP addresses (1.2.3.4, 5.6.7.8) with actual malicious IP addresses you want to monitor.*****
Top denied destination ports:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 dest_port
Top source IPs attempting to connect to blocked applications:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 src_ip by app
Top destination IPs with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 dest_ip
Top users with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 user
Total traffic volume per user:
index=SecnNetPAFW sourcetype=pan:traffic
| stats sum(bytes) as total_bytes by user
| sort -total_bytes
Traffic patterns by hour of the day:
index=SecnNetPAFW sourcetype=pan:traffic
| timechart span=1h count by action
Distribution of threat severity levels:
index=SecnNetPAFW sourcetype=pan:threat
| stats count by severity
Top allowed applications by traffic volume:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| stats sum(bytes) as total_bytes by app
| sort -total_bytes
Distribution of events by log subtype:
index=SecnNetPAFW sourcetype=pan:log
| stats count by subtype
Top 10 URL categories by traffic volume:
index=SecnNetPAFW sourcetype=pan:url
| stats sum(bytes) as total_bytes by category
| sort -total_bytes
| head 10
Connections to specific destination IP addresses:
index=SecnNetPAFW sourcetype=pan:traffic dest_ip IN (1.2.3.4, 5.6.7.8)
| stats count by src_ip, dest_ip, action
*****Replace the IP addresses (1.2.3.4, 5.6.7.8) with actual destination IP addresses you want to monitor.*****
Denied traffic patterns by hour of the day:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| timechart span=1h count
Top blocked destination IPs by application:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 dest_ip by app
Distribution of traffic events by log action:
index=SecnNetPAFW sourcetype=pan:traffic
| stats count by action
Top source IP addresses with the most denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 src_ip
Top destination IP addresses with the most allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 dest_ip
Time-based distribution of events by log subtype:
index=SecnNetPAFW sourcetype=pan:log
| timechart count by subtype
Threat events with medium severity:
index=SecnNetPAFW sourcetype=pan:threat severity=medium
| table _time, src_ip, dest_ip, threatid, category
Top users with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 user
Traffic patterns by day of the week:
index=SecnNetPAFW sourcetype=pan:traffic
| timechart span=1d count by action
Top source and destination IP pairs with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| stats count by src_ip, dest_ip
| sort -count
| head 10
Top threat events by source IP address:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 src_ip
Top threat events by destination IP address:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 dest_ip
Distribution of allowed traffic by application category:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 app_category
Top denied events by rule:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 rule
Top allowed destination ports by traffic volume:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| stats sum(bytes) as total_bytes by dest_port
| sort -total_bytes
Connection attempts to specific source IP addresses:
index=SecnNetPAFW sourcetype=pan:traffic src_ip IN (1.2.3.4, 5.6.7.8)
| stats count by src_ip, dest_ip, action
*****Replace the IP addresses (1.2.3.4, 5.6.7.8) with actual source IP addresses you want to monitor.*****
Top threat events by user:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 user
Top threat categories by event count:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 category
Top applications by denied connection count:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 app
Distribution of threat events by action:
index=SecnNetPAFW sourcetype=pan:threat
| stats count by action
Top URL categories with denied connections:
index=SecnNetPAFW sourcetype=pan:url action=deny
| top limit=10 category
Top source IP addresses with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 src_ip
Top destination IP addresses for a specific application:
index=SecnNetPAFW sourcetype=pan:traffic app=<Your_Application>
| top limit=10 dest_ip
*****Replace <Your_Application> with the specific application you want to monitor.*****
Top source and destination IP pairs with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| stats count by src_ip, dest_ip
| sort -count
| head 10
Top allowed applications by connection count:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 app
Distribution of events by log type:
index=SecnNetPAFW sourcetype=pan:log
| stats count by log_type
Top source countries with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 src_country
Top destination countries with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 dest_country
Denied connections by rule and user:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| stats count by rule, user
Top applications by bytes transferred:
index=SecnNetPAFW sourcetype=pan:traffic
| stats sum(bytes) as total_bytes by app
| sort -total_bytes
Distribution of traffic events by protocol:
index=SecnNetPAFW sourcetype=pan:traffic
| stats count by protocol
Top denied applications by connection count:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 app
Distribution of allowed traffic by application subcategory:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 app_subcategory
Top threat events by threat ID:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 threatid
Top URL categories with allowed connections:
index=SecnNetPAFW sourcetype=pan:url action=allow
| top limit=10 category
Top destination countries with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 dest_country
Top source countries with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 src_country
Allowed connections by rule and user:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| stats count by rule, user
Top threat event types:
index=SecnNetPAFW sourcetype=pan:threat
| top limit=10 event_type
Distribution of denied traffic by application subcategory:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 app_subcategory
Top allowed destination ports by connection count:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 dest_port
Denied connections by source and destination zones:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| stats count by src_zone, dest_zone
Top source zones with allowed connections:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| top limit=10 src_zone
Top destination zones with denied connections:
index=SecnNetPAFW sourcetype=pan:traffic action=deny
| top limit=10 dest_zone
Allowed connections by source and destination zones:
index=SecnNetPAFW sourcetype=pan:traffic action=allow
| stats count by src_zone, dest_zone