Security-Related Queries for Palo Alto Networks and Other Firewalls

This post has several queries you can run in Sumo to detect potential security issues with your Palo Alto Networks firewall. You can tweak the queries to use them with other firewalls.

A query will return no results if the problem it's looking for does not exist. No results indicates no problem.

Monitor Suspicious Activity

Using the Sumo Logic and Crowdstrike integration, analyze your firewall logs for potential threats and indicators of compromise. For more information about the Sumo-Crowdstrike integration, see Threat Intel Quick Analysis.

_sourceCategory=network/firewall/pan and ",TRAFFIC,"
| parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*" as f1,recvTime,serialNum,type,subtype,f2,genTime,src_ip,dest_ip,natsrc_ip,natdest_ip,ruleName,src_user,dest_user,app,vsys,src_zone,dest_zone,ingress_if,egress_if,logProfile,f3,sessionID,repeatCnt,src_port,dest_port,natsrc_port,natdest_port,flags,protocol,action,bytes,bytes_sent,bytes_recv,packets,start_time,elapsed_time,cat,f4,seqNum,action_flags,src_loc,dest_loc,f5,packets_sent,packets_rcv
| where !isEmpty(dest_ip)
| if( compareCIDRPrefix("10.0.0.0", dest_ip, toInt(8)) OR compareCIDRPrefix("172.16.0.0", dest_ip, toInt(12)) OR compareCIDRPrefix("192.168.0.0", dest_ip, toInt(16)), "Private", "Public") as ip_type
| where ip_type="Public"
| lookup type, actor, raw, threatlevel from sumo://threat/cs on threat=dest_ip
| where type="ip_address"
| json field=raw "last_updated"
| concat(last_updated, "000") as last_updated
| formatDate(fromMillis(tolong(last_updated)), "MM/dd/yy") as last_updated
| json field=raw "kill_chains"
| json field=raw "ip_address_types"
| formatDate(now(), "MM/dd/yy") as today
| toMillis(parseDate(last_updated, "MM/dd/yy")) as last_updated_millis
| toMillis(parseDate(today, "MM/dd/yy")) as today_millis
| (toInt((last_updated_millis-today_millis)/86400000)*-1) as age
| formatDate(_messageTime, "yy-MM-dd HH:mm:ss") as date
| count date, type, subtype, app, action, src_ip, src_port, dest_ip, dest_port, age, actor, threatlevel, kill_chains, ip_address_types

Monitor Traffic to Destinations outside of US

This query Identifies firewall network traffic for a specific destination.

_sourceCategory=network/firewall/pan and ",TRAFFIC"
| parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*" as f1,recvTime,serialNum,type,subtype,f2,genTime,src_ip,dest_ip,natsrc_ip,natdest_ip,ruleName,src_user,dest_user,app,vsys,src_zone,dest_zone,ingress_if,egress_if,logProfile,f3,sessionID,repeatCnt,src_port,dest_port,natsrc_port,natdest_port,flags,protocol,action,bytes,bytes_sent,bytes_recv,packets,start_time,elapsed_time,cat,f4,seqNum,action_flags,src_loc,dest_loc,f5,packets_sent,packets_rcv
| lookup latitude, longitude, country_code, country_name, region, city, postal_code from geo://location on ip = dest_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code
| where country_code<>"US"

Monitor X-fold Increase in Denied Traffic

This query identifies denied traffic and compares it to a baseline to identify an X-fold increase.

_sourceCategory=network/firewall/pan and ",TRAFFIC"
| parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*" as f1,recvTime,serialNum,type,subtype,f2,genTime,src_ip,dest_ip,natsrc_ip,natdest_ip,ruleName,src_user,dest_user,app,vsys,src_zone,dest_zone,ingress_if,egress_if,logProfile,f3,sessionID,repeatCnt,src_port,dest_port,natsrc_port,natdest_port,flags,protocol,action,bytes,bytes_sent,bytes_recv,packets,start_time,elapsed_time,cat,f4,seqNum,action_flags,src_loc,dest_loc,f5,packets_sent,packets_rcv
| where action="deny"
| count action
| compare with timeshift 15m 4 avg //select time range and desired data points
| if(isNull(_count), 0, _count) as _count
| if(isNull(_count_60m_avg), 0, _count_60m_avg) as _count_60m_avg
| where _count > (10 * _count_60m_avg) //select X-fold