Firewall - Palo Alto

There are two types of Palo Alto alarm categories:

1. URL Filtering Alert – Monitor internet usage within the organization

2. Tampering – Detects the deletion of Palo Alto logs.

LP_PaloAlto Potential Risk Activity
Description Triggered when domains or sites are visited, that are categorised as scam, hacks, or untrusted. It is also triggered if sites visited have been identified as phishing websites by PaloAlto.
Log source Firewall
Value Visiting untrusted sites must be prevented, as it can be a danger to the user and organisation.
Rationale This alert detects access to websites categorized as phishing, hacking, or grayware by Palo Alto URL filtering. Such domains are often used to deliver malware, collect credentials, or conduct reconnaissance. Blocking and monitoring this activity helps reduce user exposure to threats and supports NIST 800-53 SI-4 (System Monitoring), SC-7 (Boundary Protection), ISO 27001 A.12.2.1 (Malware Protection), and CIS Control 13.7 (Web Filtering).
Query
Copy 
Norm_id = PaloAltoNetworkFirewall label = Traffic category
in [‘Grayware’,’Hacking’,’Parked’,’Phishing’]
Comments To enable this, configure URL filtering logging on PaloAlto PAN-OS or URL filtering Categories: Grayware, Hacking, Parked, Phishing.
Type PaloAlto URL Filtering Alert
MITRE ATT&CK

T1566.002 – Phishing: Spearphishing Link

 

LP_PaloAlto Potential C2 Connection
Description Triggered if Command-and-Control (C2) URL/domains, dynamically assigned IP addresses or newly registered domain sites are visited. These are often used to deliver malware payloads for C2 traffic, malicious commands or data exfiltration.
Log source Firewall
Value This is important to monitor to reduce the risk of the organization being hit by an attack.
Rationale This alert detects access to domains associated with C2 activity, dynamic DNS, newly registered domains, and known malware sources—common indicators of active infection or compromise. Early identification can prevent data exfiltration and lateral movement. It aligns with NIST 800-53 SI-4 (System Monitoring), SC-7 (Boundary Protection), ISO 27001 A.12.6.1 (Technical Vulnerability Management), and CIS Control 13.9 (Monitor for Unapproved Services).
Query
Copy 
norm_id = PaloAltoNetworkFirewall label = Traffic category in
['Command and Control','Dynamic DNS','Malware','Newly
Registered Domain']
Comments To enable this, URL filtering logging is configured on PaloAlto PAN-OS for URL Filtering Categories: Command and Control, Dynamic DNS, Malware and Newly Registered Domain.
Type PaloAlto URL Filtering Alert
MITRE ATT&CK T1071 – Application Layer Protocol

 

LP_PaloAlto Illegal Content Download
Description Triggered if Command-and-Control(C2) URL/domains, dynamically assigned IP addresses or newly registered domain sites are visited. These are often used to deliver malware payloads for C2 traffic, malicious commands or data exfiltration.
Log source Firewall
Value This is important to monitor to reduce the risk of the organization being hit by an attack.
Rationale This alert detects access to websites categorized under "Copyright Infringement," which may be used to distribute pirated or malicious content. While not directly mapped to a specific ATT&CK technique, monitoring such traffic is essential to enforce acceptable use policies, reduce legal risk, and prevent potential malware exposure. It aligns with NIST 800-53 AC-8 (System Use Notification), SI-4 (System Monitoring), ISO 27001 A.12.6.2 (Restrictions on software installation), and CIS Control 13.7 (Web Filtering).
Query
Copy 
Norm_id = PaloAltoNetworkFirewall label = Traffic category =
’Copyright Infringement’
Comments To enable this, URL filtering logging is configured on PaloAlto PAN-OS for URL Filtering Categories: Cope
Type PaloAlto URL Filtering Alert
MITRE ATT&CK None

 

LP_PaloAlto Log Deletion
Description Triggered if log files are deleted by a user identified in the description field.
Log source Firewall
Value This is important to monitor to reduce the risk of the organization being hit by an attack.
Rationale This alert detects log deletion events, which may indicate attempts to cover tracks after malicious activity. Even though it's on a network device (not a host), the action aligns with the intent of indicator removal to evade detection. Monitoring such events supports NIST 800-53 AU-9 (Audit Protection), SI-4 (System Monitoring), ISO 27001 A.12.4.1 (Event Logging), and CIS Control 8.7 (Protect Audit Logs).
Query
Copy 
Norm_id = PaloAltoNetworkFirewall event_category = System
description = “Log*clear*”
Comments To enable this, URL filtering logging is configured on PaloAlto PAN-OS for URL Filtering Categories: Cope
Type PaloAlto URL Filtering Alert
MITRE ATT&CK T1070.001 – Indicator Removal on Host: Clear Windows Event Logs

Palo Alto Firewall Dashboards

LP_PaloAlto: User Activities
Description This dashboard has widgets that can provide an overview of user activity in the PaloAlto firewall.
Log source Firewall
Value Contains widgets with information about user activity such as user actions, user threats and user web behavior.
Widgets / Use cases

1. Users Action

2. Top 10 Users in Action

3. Top Event Categories

4. Top 10 Web Categories

5. Top 10 Threat Categories

6. Top 10 Applications

7. Top 10 Domain Accessed

8. Application not using Default Port 9.

9. Top 10 Content Types

10. Potential Data Leakage

11. Rare Application

12. Multiple Failed User Authentications
Comments It is possible to configure the widgets, e.g. Top 20 instead of Top 10.
Type Dashboard
MITRE ATT&CK T1071 – Application Layer Protocol (Generic)

 

LP_PaloAlto: Threats
Description This dashboard has widgets that can provide insight into threats observed by PaloAlto
Log source Firewall
Value Contains widgets such as: Threats by Category, Risk levels, email threats.
Rationale This dashboard provides insight into threat intelligence detected by Palo Alto, including exploit attempts, malware activity, and email-based threats. Widgets such as WildFire submissions, threat categories, and vulnerable files help identify real-time attack vectors and targeted users. It supports NIST 800-53 SI-4 (System Monitoring), IR-5 (Incident Monitoring), ISO 27001 A.12.2.1 (Protection from Malware), and CIS Controls 13.1 and 8.7 (Threat Detection and Log Protection).
Widgets / Use cases

1. Threats by Category - Timetrend

2. Risk Values (High and Low)

3. Top 10 Actions

4. Top 10 Threat Applications

5. Top 10 Targeted Users

6. Top 10 Threat Sources

7. WildFire Submission

8. Top 10 Threat Categories

9. Top 10 Threat Destinations

10. Top 10 Vulnerable Files

11. Email Threats

12. WildFire Details

13. Top 10 Source Countries

Comments It is possible to configure the widgets, e.g. Top 20 instead of Top 10. Dropbox and Skype widgets can be changed to any other 3rd party application. This can be changed in the underlying search.
Type Dashboard
MITRE ATT&CK T1203 – Exploitation for Client Execution

 

LP_PaloAlto: Traffic
Description This dashboard shows the most common traffic in the PaloAlto Firewall
Log source Firewall
Value Provides a good insight into traffic incl. bandwidth for applications, denied connections etc.
Rationale This dashboard provides visibility into network traffic patterns, including blocked and allowed applications, country-based denials, and authentication anomalies. Such insights support detection of suspicious or unauthorized communication. It aligns with NIST 800-53 SI-4 (System Monitoring), SC-7 (Boundary Protection), ISO 27001 A.13.1.1 (Network Controls), and CIS Control 13.1 (Network Monitoring).
Widgets / Use cases

1. Top 10 Blocked Applications by Bandwidth

2. Top 10 Allowed Applications by Bandwidth

3. Top 10 Blocked Applications

4. Top 10 Denied Connections by Country

5. Traffic over Time

6. Heaviest Usage of Skype

7. Heaviest usage of Dropbox

8. Severity by Protocol

9. Multiple Failed Authentication from Source
Comments It is possible to configure the widgets, e.g. Top 20 instead of Top 10.
Type Dashboard
MITRE ATT&CK T1040 – Network Sniffing