Palo Alto Networks Firewall - command and control traffic observed

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when Palo Alto Networks (PAN) Firewall detects command and control activity.

Strategy

This rule monitors when PAN Firewall threat logs detect command and control activity. Threat logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall.

Triage and response

  1. Determine if this network traffic is expected for this host {{ host }}.
    • Look for consistent connections over time.
    • Work with the system owners to understand if it is normal.
    • Investigate if there are any relevant host based alerts.
  2. If the network traffic is unexpected, begin your organization’s incident response process and investigate.
  3. If it is a false positive, consider including the IP or host in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.