(severity eq critical or description contains 'System restart requested '
or (subtype eq ha and (eventid eq state-change or eventid eq preempt))
or (eventid eq routed-BGP-peer-enter-established
or eventid eq routed-OSPF-neighbor-full
or eventid eq routed-OSPF-neighbor-2dir
or eventid eq routed-OSPF-neighbor-down)
or (severity eq high and !(subtype eq userid or eventid eq syslog-conn-status or eventid eq general))
or (description contains 'Installed panos software version ')
) and !(eventid eq saml-message-parse-error) and !(subtype eq device-telemetry)
description contains 'FW has lost connection to panorama, no log will be forwarded' or description contains '<LOCALAMINACCOUNT>' or description contains 'Disconnected from Panorama Server' or description contains 'hints'
Threat:
(!(action eq alert or action eq allow) or severity eq critical or severity eq high)
wirefire
!(verdict eq benign)
URL:
(url_category_list contains medium-risk or url_category_list contains high-risk or url_category_list contains command-and-control or url_category_list contains malware or url_category_list contains phishing or url_category_list contains ransomware or url_category_list contains newly-registered-domain)
system - firewall logons and high/critical
(subtype eq auth or severity eq critical or severity eq high or description contains 'Installed panos software version ' or description contains 'System restart requested ') and !(eventid eq saml-message-parse-error or subtype eq device-telemetry)
Config
GlobalProtect
Corelation
URL
cryptocurrency grayware parked peer-to-peer unknown insufficient-content
System
subtype eq dhcp