Different from the transaction operator which aggregates results, the transactionize operator correlates and provides detail, allowing you to display more fields/detail in your results. In this lab, use the transactionize operator to identify source IP addresses for which you've had normal traffic (type="TRAFFIC" and action="allow), " but also received traffic that has been flagged as a THREAT. To ensure you don't reach a memory limit, restrict the timeframe to the last 5 minutes.
((_sourceCategory=Labs/PaloAltoNetworks ",THREAT,") or (_sourceCategory=Labs/PaloAltoNetworks ",TRAFFIC," action=allow))
| concat(dest_ip,":", dest_port) as destination
| transactionize src_ip (merge type, destination, src_ip takeFirst)
| where type matches "*TRAFFIC*" and type matches "*THREAT*"
// Optionally, you can use these last 2 lines to clean up your results
//| count src_ip, type, destination
//| fields - _count