Skip to main content

metadata.log_type = "FW"
metadata.event_type = "NETWORK_CONNECTION"
$ip_blocked = principal.ip
$custom_action = security_result.action
principal.ip in %my_manually_blocked_ip
match:
$custom_action, $ip_blocked
outcome:
$evt_count = count_distinct(metadata.id)
$target_protocol = array_distinct(target.application)

order:
$evt_count desc

 

I have developped this query to see if there is any allow action after the blocked action for my ip
How i can ajust my quer to get the timestamp of blocked action and timestamp of allowed action and compare them, if the allow is after the block action then i will put an indicator in the outcome that the manually blocked ip have not been blocked correctly 
Thanks

This use case multi event joins ( join between allow and blocked events to compare the timestamps) is currently not supported in Search. It's a roadmap item for sure hopefully coming by fall this year. 


Alternately you can write a detection rule that fires a detection for this use case. Here is an example of the detection rule that somewhat aligns to your use case:


 



rule test_IOC_community_question {

 meta:

   rule_name = "IOC Match example"

   description = "Fires alert if FW allow is after the block for a blocked/malicious IP"



 events:

  $allow.metadata.log_type = "PAN_FIREWALL"

  $allow.target.ip = $ip

  $allow.target.ip in %my_manually_blocked_ip

  $allow.security_result.action = "ALLOW"  

 

  $block.metadata.log_type = "PAN_FIREWALL"

  $block.target.ip = $ip

  $block.target.ip in %my_manually_blocked_ip

  $block.security_result.action = "BLOCK"



  $allow.metadata.event_timestamp.seconds > $block.metadata.event_timestamp.seconds




 match:

   $ip over 1h




 outcome:

   $evt_count = count_distinct($allow.metadata.id)

   $target_protocol = array_distinct($allow.target.application)




 condition:

   $allow and $block

}


The condition that is present in the rule $allow.metadata.event_timestamp.seconds > $block.metadata.event_timestamp.seconds lets you compare the time stamps of the two event types (Allow and Blocked).

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.