01-18-2024 09:12 AM
Hello All,
I am trying to build a correlation rule for palo alto traffic logs to have local to remote traffic logs but I am unable to put that condition in the XQL query. Can someone please help me with the condition if you have already built one?
It will start off like this:
dataset =panw_ngfw_traffic_raw _raw |filter <I want Outbound traffic condition here>
01-18-2024 10:06 AM
Hi @Anuja_Prasad, thanks for reaching us using the live community.
Your XQL Query start looks good, you only need to filter the required field like this:
dataset = panw_ngfw_traffic_raw
| filter dest_ip = "8.8.8.8" and dest_port = 53
(DNS Traffic to the Google public DNS)
If the required fields are not present in the result, remember to add then to the layout clicking the three dots and selecting them like in this example.
If this answers your question, please mark it as the solution.
01-18-2024 11:35 AM
Thanks! I am actually looking for any outbound traffic over say port 53 not just to a particular IP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
