Monitor intranet traffic to dangerous websites
In this guided tutorial, you will generate a Graph diagram using firewall log data in order to visualize and analyze access to dangerous sites from within your company's Intranet.
There are two phases explained below:
Build and enhance the query
This is the query used in the tutorial video. You can go to Data Search → Free Text Query and paste it, or follow the steps below to build it.
from firewall.paloalto.traffic
where serial = "012001000758",
ispublic(dstIp)
select mmcoordinates(dstIp) as dstServerCoordinates,
`lu/Threat-Malware-by-IP/threat`(dstIp) as Threat
where isnotnull(Threat)
select `lu/IPNames/Full Name`(srcIp) as UserName
group every 30m by UserName, dstIp, dstServerCoordinates, Threat, dstCountry
every 1h
select count() as count,
avg(bytes) as bytes
Generate the Graph diagram
For more details on how use the settings to view the information in different ways, see Working in the graph diagram.