Skip to main content

metadata.log_type = "FW"
metadata.event_type = "NETWORK_CONNECTION"
$ip_blocked = principal.ip
$custom_action = security_result.action
principal.ip in %my_manually_blocked_ip
match:
$custom_action, $ip_blocked
outcome:
$evt_count = count_distinct(metadata.id)
$target_protocol = array_distinct(target.application)

order:
$evt_count desc

 

I have developped this query to see if there is any allow action after the blocked action for my ip
How i can ajust my quer to get the timestamp of blocked action and timestamp of allowed action and compare them, if the allow is after the block action then i will put an indicator in the outcome that the manually blocked ip have not been blocked correctly 
Thanks

This use case multi event joins ( join between allow and blocked events to compare the timestamps) is currently not supported in Search. It's a roadmap item for sure hopefully coming by fall this year. 

Alternately you can write a detection rule that fires a detection for this use case. Here is an example of the detection rule that somewhat aligns to your use case:

 

rule test_IOC_community_question {
 meta:
   rule_name = "IOC Match example"
   description = "Fires alert if FW allow is after the block for a blocked/malicious IP"

 events:
  $allow.metadata.log_type = "PAN_FIREWALL"
  $allow.target.ip = $ip
  $allow.target.ip in %my_manually_blocked_ip
  $allow.security_result.action = "ALLOW"  
 
  $block.metadata.log_type = "PAN_FIREWALL"
  $block.target.ip = $ip
  $block.target.ip in %my_manually_blocked_ip
  $block.security_result.action = "BLOCK"

  $allow.metadata.event_timestamp.seconds > $block.metadata.event_timestamp.seconds


 match:
   $ip over 1h


 outcome:
   $evt_count = count_distinct($allow.metadata.id)
   $target_protocol = array_distinct($allow.target.application)


 condition:
   $allow and $block
}

The condition that is present in the rule $allow.metadata.event_timestamp.seconds > $block.metadata.event_timestamp.seconds lets you compare the time stamps of the two event types (Allow and Blocked).

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.