Filter Query Lexicon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter Query Lexicon

L1 Bithead

Hi there,

Is there a document that contains the dictionary of terms, and the description of the syntax of the PANOS filter query language?

I've looked through the knowledge base, but I didn't find anything that looks like a syntax document.

This would be specifically for using the filter query in the PANOS 6.0 GUI. I'm not concerned with the CLI syntax.

Thank you!

1 accepted solution

Accepted Solutions

L2 Linker

You can just click on + (add filter) symbol under Monitor --> Traffic or Threat or URL etc. and then use Add log filter to get desired results.

Helpful doc: How to Add, Save, Load, and Clear Log Filters

filter.PNG

View solution in original post

4 REPLIES 4

L4 Transporter

Just to clarify, you mean for filtering logs from the GUI under 'Monitor' ?

Example:

Monitor > Traffic

( addr.src in 172.16.81.2 ) and ( app eq dns )

Untitled.png

I don't see a KB article for this either. This may be due to how easy it is to just click any of the logs and it will populate the proper filter syntax for you. If you wanted to filter for a source IP address, you could click the source IP under any of the logs, then simply change the IP address in the search bar and click the green arrow to "Apply Filter".

Note: There are some KBs that do exist about this, but they are for very specific filters that you cannot easily figure out.

Example - Filtering Traffic Logs for Only Unidentified Users

Please do not forget to mark this thread as 'Answered' or mark any 'Helpful answered provided by any of our responses.

Thanks!

L3 Networker

To truly appreciate the capability of this box i would recommend logging and alerting everything Smiley Happy then tune out false positive or severity . Below is based on 6.0 but 6.1 has some additional http fields it can log.

easiest thing to do is use the gui to do a filter then write it down but its pretty simple once you get it going and replace the eq with a contains or neq for negate (you could also put a ! to negate the filter) geq  greater than or equal , leq less than or equal ,  (neq "") or (contains"")  for is present .

You could also start with the ACC then move to the traffic logs once filters are setup.

Each log (traffic, threat,url,datafilter etc..) can have their specfic syntax . Also the syntax may overlap with the custom reports but not always. The syntax also doesnt' match doesnt' match up 100% with the traffic filters.

from traffic logs its : category-of-app eq media


for example from a custom report to filter app category of media syntax is : category-of-name eq media

same with sub categories

subcategory-of-app eq photo-video in traffic logs , subcategory-of-name eq photo-video in custom reports

The two mentioned also aren't available as a selectable attribute in the Add log filter gui

You can also enter some attributes that are NOT available in the dropdown Smiley Wink

Some interesting filter examples in the traffic log

1. photo-video downloads greater than 100mb

subcategory-of-app eq photo-video and bytes_received geg 100000000

2. bytes sent greater than 1mb to destination country no US

bytes_sent geg 1000000 and dstloc neq US

3. filter for app category of media application NOT rtmp

category-of-app eq media and app neq rtmp

You can also nest multiple search terms

4. Any ip of from subnet 192.168.0.0/16 in source or dest , application is ssl and dest port is NOT 443

addr in 192.168.0.0/16 and app eq ssl and port.dst neq 443

5. looking for destination port 80 or 8080 that is not application web-browsing

((port.dst eq 80) or (port.dst eq 8080)) and app neq web-browsing

Some interesting filter examples in the threat log


If a device is managed by panorama there is a field 'URL' that shows up but this is actually additional info such as a file etc.. in the custom report the attribute value is 'misc' . Even if a device is not managed by the firewall you can filter for misc . In a detailed log view under 'threat detail' you'll also see the option of URL . In panorama you can simply look at the URL field in the threat logs

1. To see if a medium severity or higher threat has any value for url / misc

severity geq medium and misc neq ""


2. Virus that matches smtp

subtype eq virus and app eq smtp


3. threats that are not a virus that contains a .doc or .docx file name (only the data filtering logs lets  you filter by file type / threatid for a file so searching by file ext could provide some useful data)


!(subtype eq virus) and ((misc contains .doc) or (misc contains .docx))


Some interesting filter examples in the URL log


1. find a url that partially matches vpn.


url contains vpn.


2. category malware and application ssl or port 443


category eq malware and ((app eq ssl) or (port.dst.eq 443))


Now for some interesting filter examples in the Data Filtering

1. Findout if people are downloading pirated movie / tv shows via http .

filename that contains hdtv (commonly used for illegal ripped hdtv shows), threatid eq 52104 (threat id to match file type mp4)

More info http://en.wikipedia.org/wiki/Pirated_movie_release_types

filename contains hdtv and threatid eq 52104

2. All file types PE that were not part of a software update category

subcategory-of-app neq software-update and threatid eq 52060

L2 Linker

You can just click on + (add filter) symbol under Monitor --> Traffic or Threat or URL etc. and then use Add log filter to get desired results.

Helpful doc: How to Add, Save, Load, and Clear Log Filters

filter.PNG

L7 Applicator

I don't know of a list, but the wizard for the filter is pretty easy to setup whatever you need,

Hit the Plus icon + on the right and then use the menu to construct your desired filter settings.

Filter.png

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 6676 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!