|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/18" |
| 3 | +maturity = "production" |
| 4 | +updated_date = "2025/11/18" |
| 5 | + |
| 6 | +[rule] |
| 7 | +author = ["Elastic"] |
| 8 | +description = """ |
| 9 | +This rule correlate any Elastic Defend alert with a set of suspicious events from Next-Gen Firewall like Palo Alto |
| 10 | +Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and |
| 11 | +triggering multi-datasource alerts. |
| 12 | +""" |
| 13 | +from = "now-9m" |
| 14 | +interval = "1h" |
| 15 | +language = "esql" |
| 16 | +license = "Elastic License v2" |
| 17 | +name = "Elastic Defend and NG-Firewall Alerts Correlation" |
| 18 | +risk_score = 73 |
| 19 | +rule_id = "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe" |
| 20 | +severity = "high" |
| 21 | +tags = [ |
| 22 | + "Use Case: Threat Detection", |
| 23 | + "Rule Type: Higher-Order Rule", |
| 24 | + "Resources: Investigation Guide", |
| 25 | + "Data Source: Elastic Defend", |
| 26 | + "Data Source: Fortinet", |
| 27 | + "Data Source: PAN-OS" |
| 28 | +] |
| 29 | +timestamp_override = "event.ingested" |
| 30 | +type = "esql" |
| 31 | + |
| 32 | +query = ''' |
| 33 | +FROM logs-endpoint.alerts-default-*, logs-panw.panos-default-*, logs-fortinet_fortigate.log-default-* metadata _id |
| 34 | +| WHERE |
| 35 | + // PANW suspicious events |
| 36 | + (event.dataset == "panw.panos" and |
| 37 | + event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied")) or |
| 38 | +
|
| 39 | + // Fortigate suspicious events |
| 40 | + (event.dataset == "fortinet_fortigate.log" and |
| 41 | + (event.action in ("outbreak-prevention", "deny", "infected", "blocked") or message like "backdoor*" or message like "Proxy*" or message like "anomaly*" or message like "P2P*" or message like "misc*" or message like "DNS.Over.HTTPS" or message like "Remote.Access")) or |
| 42 | +
|
| 43 | + // Elastic Defend Alerts |
| 44 | + (event.module == "endpoint" and event.dataset == "endpoint.alerts") |
| 45 | +
|
| 46 | +// extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert |
| 47 | +|eval fw_alert_source_ip = CASE(event.dataset in ("panw.panos", "fortinet_fortigate.log"), source.ip, null), |
| 48 | + elastic_defend_alert_host_ip = CASE(event.module == "endpoint" and event.dataset == "endpoint.alerts", host.ip, null) |
| 49 | +| eval Esql.source_ip = COALESCE(fw_alert_source_i, elastic_defend_alert_host_ip) |
| 50 | +| where Esql.source_ip is not null |
| 51 | +
|
| 52 | +// group by host_source_ip shared between FG/PANW and Elastic Defend |
| 53 | +| stats Esql.alerts_count = COUNT(*), |
| 54 | + Esql.event_module_distinct_count = COUNT_DISTINCT(event.module), |
| 55 | + Esql.event_module_values = VALUES(event.module), |
| 56 | + Esql.message_values = VALUES(message), |
| 57 | + Esql.event_action_values = VALUES(event.action), |
| 58 | + Esql.process_executable_values = VALUES(process.executable), |
| 59 | + Esql.host_id_values = VALUES(host.id), |
| 60 | + Esql.user_name_values = VALUES(user.name), |
| 61 | + Esql.destination_ip_values = VALUES(destination.ip) |
| 62 | + by Esql.source_ip |
| 63 | +| where Esql.event_module_distinct_count >= 2 |
| 64 | +| keep Esql.alerts_count, Esql.host_source_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values |
| 65 | +''' |
| 66 | +note = """## Triage and analysis |
| 67 | +
|
| 68 | +### Investigating Elastic Defend and NG-Firewall Alerts Correlation |
| 69 | +
|
| 70 | +This rule correlate any Elastic Defend alert with suspicious events from Next-Gen Firewall like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip. |
| 71 | +
|
| 72 | +### Possible investigation steps |
| 73 | +
|
| 74 | +- Review the alert details to identify the specific host and users involved. |
| 75 | +- Investiguate the network alerts by destination.ip and message. |
| 76 | +- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used. |
| 77 | +- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context. |
| 78 | +- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network. |
| 79 | +- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity. |
| 80 | +
|
| 81 | +### False positive analysis |
| 82 | +
|
| 83 | +- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance. |
| 84 | +- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise. |
| 85 | +- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening. |
| 86 | +- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score. |
| 87 | +- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities. |
| 88 | +
|
| 89 | +### Response and remediation |
| 90 | +
|
| 91 | +- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary. |
| 92 | +- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved. |
| 93 | +- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated. |
| 94 | +- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks. |
| 95 | +- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise. |
| 96 | +- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns. |
| 97 | +- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.""" |
| 98 | + |
| 99 | + |
| 100 | + |
0 commit comments