Palo Alto Networks Firewall - command and control traffic observed

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when Palo Alto Networks (PAN) Firewall detects command and control activity.

Strategy

This rule monitors when PAN Firewall threat logs detect command and control activity. Threat logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall.

Triage and response

  1. Determine if this network traffic is expected for this host {{ host }}.
    • Look for consistent connections over time.
    • Work with the system owners to understand if it is normal.
    • Investigate if there are any relevant host based alerts.
  2. If the network traffic is unexpected, begin your organization’s incident response process and investigate.
  3. If it is a false positive, consider including the IP or host in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.