Palo Alto Networks Firewall - command and control traffic observed

Goal

Detect when Palo Alto Networks (PAN) Firewall detects command and control activity.

Strategy

This rule monitors when PAN Firewall threat logs detect command and control activity. Threat logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall.

Triage and response

  1. Determine if this network traffic is expected for this host {{ host }}.
    • Look for consistent connections over time.
    • Work with the system owners to understand if it is normal.
    • Investigate if there are any relevant host based alerts.
  2. If the network traffic is unexpected, begin your organization’s incident response process and investigate.
  3. If it is a false positive, consider including the IP or host in a suppression list. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.