The Palo Alto Networks firewall observes certain domains to be associated with malware and malicious activity. If multiple threat signatures from a single host are present, this may indicate that the host is compromised. Custom reports can be created to help detect the infected hosts, so that they can be quarantined.
This document describes how to create a custom report on DNS queries that are categorized as suspicious or malware.
Navigate to Monitor > Manage Custom Reports and click Add.
Set the Database field to Threat log, under Detailed logs (Slower).
Enter the query (under Query Builder) as (subtype eq spyware) and (app eq dns).
When the report is run, the output may look similar to the following:
Note: The report can be exported to PDF, CSV, or XML format, as desired.