Check your firewall logs to identify a 2-fold increase in denied traffic.
In this case, we will use the time compare operator, along with the timeshift option, to compare the current results of denied traffic to a base. Search for denied traffic for the last 24 hours, and compare it to the average count of denied traffic for the last 5 days.
_sourceCategory=Labs/PaloAltoNetworks and ",TRAFFIC," and action="deny"
| count action
| compare with timeshift -1d 5 avg
//Uncomment the following line to identify a count 2x that of your avg. This can be useful for alerting
//| where _count > (2 * _count_5d_avg)