Torrent Website Access Detected

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Torrent Website Access Detected

# Description of what the query does and its purpose.
description: |
  Detects users successfully accessing peer-to-peer (P2P) or torrent websites through the network where the Palo Alto firewall generated an alert but did not block the traffic.

# The author or team that created the query.
author: Mahfuz

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Network

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor = paloalto
  event.action = url_filtering
  | Vendor.Action != "block-url"
  | Vendor.Action != "block-url-continue"
  | Vendor.Action != "deny"
  | (Vendor.URLCategoryList = /peer-to-peer/i OR Vendor.Category = /peer-to-peer/i)
  | event.category[1] = threat
  | Vendor.ApplicationTechnology = "browser-based"
  | "Vendor.application_category" != "general-internet"
  | groupBy([url.domain, url.original, source.user.name, source.ip, source.nat.ip, rule.name, Vendor.Action], function=[
      count(as=event_count)
  ])
  | sort(event_count, order=desc)