Monitor intranet traffic to dangerous websites

In this guided tutorial, you will generate a Graph diagram using firewall log data in order to visualize and analyze access to dangerous sites from within your company's Intranet.

There are two phases explained below:

Build and enhance the query
Generate the Graph diagram

Build and enhance the query

This is the query used in the tutorial video. You can go to Data Search → Free Text Query and paste it, or follow the steps below to build it.

from firewall.paloalto.traffic
where serial = "012001000758",
ispublic(dstIp)
select mmcoordinates(dstIp) as dstServerCoordinates,
`lu/Threat-Malware-by-IP/threat`(dstIp) as Threat
where isnotnull(Threat)
select `lu/IPNames/Full Name`(srcIp) as UserName
group every 30m by UserName, dstIp, dstServerCoordinates, Threat, dstCountry
every 1h
select count() as count,
avg(bytes) as bytes

You must download the following CSV file and upload it as a lookup before starting this example. Learn more in the Upload a lookup table article.

Generate the Graph diagram

For more details on how use the settings to view the information in different ways, see Working in the graph diagram.