Palo Alto Networks Firewall - command and control traffic observed

Classification:

attack

Tactic:

TA0011-command-and-control

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when Palo Alto Networks (PAN) Firewall detects command and control activity.

Strategy

This rule monitors when PAN Firewall threat logs detect command and control activity. Threat logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall.

Triage and response

  1. Determine if this network traffic is expected for this host {{ host }}.
    • Look for consistent connections over time.
    • Work with the system owners to understand if it is normal.
    • Investigate if there are any relevant host based alerts.
  2. If the network traffic is unexpected, begin your organization’s incident response process and investigate.
  3. If it is a false positive, consider including the IP or host in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.