Monitor intranet traffic to dangerous websites

[ 1 Build and enhance the query ] [ 2 Generate the Graph diagram ]

In this guided tutorial, you will generate a Graph diagram using firewall log data in order to visualize and analyze access to dangerous sites from within your company's Intranet.

There are two phases explained below:

Build and enhance the query

This is the query used in the tutorial video. You can go to Data Search → Free Text Query and paste it, or follow the steps below to build it.

from firewall.paloalto.traffic
where serial = "012001000758",
ispublic(dstIp)
select mmcoordinates(dstIp) as dstServerCoordinates,
`lu/Threat-Malware-by-IP/threat`(dstIp) as Threat
where isnotnull(Threat)
select `lu/IPNames/Full Name`(srcIp) as UserName
group every 30m by UserName, dstIp, dstServerCoordinates, Threat, dstCountry
every 1h
select count() as count,
avg(bytes) as bytes

Generate the Graph diagram

For more details on how use the settings to view the information in different ways, see Working in the graph diagram.