XQL Query Help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query Help

L0 Member

Hello All,

I am trying to build a correlation rule for palo alto traffic logs to have local to remote traffic logs but I am unable to put that condition in the XQL query. Can someone please help me with the condition if you have already built one?

It will start off like this:

 dataset =panw_ngfw_traffic_raw _raw |filter <I want Outbound traffic condition here>

2 REPLIES 2

L5 Sessionator

Hi @Anuja_Prasad, thanks for reaching us using the live community.

Your XQL Query start looks good, you only need to filter the required field like this:

 

dataset = panw_ngfw_traffic_raw
| filter dest_ip = "8.8.8.8" and dest_port = 53

 

(DNS Traffic to the Google public DNS)

 

If the required fields are not present in the result, remember to add then to the layout clicking the three dots and selecting them like in this example.

jmazzeo_0-1705601162476.png

 

 

If this answers your question, please mark it as the solution.

JM

Thanks! I am actually looking for any outbound traffic over say port 53 not just to a particular IP. 

  • 679 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!