|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/18" |
| 3 | +integration = ["endpoint", "panw"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/11/18" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify |
| 11 | +the source process performing the network activity. |
| 12 | +""" |
| 13 | +from = "now-9m" |
| 14 | +index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] |
| 15 | +language = "eql" |
| 16 | +license = "Elastic License v2" |
| 17 | +name = "PANW and Elastic Defend - Command and Control Correlation" |
| 18 | +references = [ |
| 19 | + "https://attack.mitre.org/tactics/TA0011/", |
| 20 | + "https://www.elastic.co/docs/reference/integrations/panw", |
| 21 | + "https://www.elastic.co/docs/reference/integrations/endpoint" |
| 22 | +] |
| 23 | +risk_score = 47 |
| 24 | +rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691" |
| 25 | +severity = "medium" |
| 26 | +tags = [ |
| 27 | + "Domain: Endpoint", |
| 28 | + "OS: Linux", |
| 29 | + "OS: Windows", |
| 30 | + "OS: macOS", |
| 31 | + "Use Case: Threat Detection", |
| 32 | + "Tactic: Command and Control", |
| 33 | + "Data Source: Elastic Defend", |
| 34 | + "Data Source: PAN-OS", |
| 35 | + "Resources: Investigation Guide", |
| 36 | +] |
| 37 | +type = "eql" |
| 38 | +query = ''' |
| 39 | +sequence by source.port, source.ip, destination.ip with maxspan=1m |
| 40 | + [network where event.module == "panw" and event.action == "c2_communication"] |
| 41 | + [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] |
| 42 | +''' |
| 43 | +note = """## Triage and analysis |
| 44 | +
|
| 45 | +### Investigating PANW and Elastic Defend - Command and Control Correlation |
| 46 | +
|
| 47 | +### Possible investigation steps |
| 48 | +
|
| 49 | +- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend). |
| 50 | +- Review the process details like command_line, privileges, global relevance and reputation. |
| 51 | +- Assess the destination.ip reputation and global relevance. |
| 52 | +- Review the parent process execution details like command_line, global relevance and reputation. |
| 53 | +- Examine all network connection details performed by the process during last 48h. |
| 54 | +- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity. |
| 55 | +
|
| 56 | +### False positive analysis |
| 57 | +
|
| 58 | +- Trusted system or third party processes performing network activity that looks like beaconing. |
| 59 | +
|
| 60 | +### Response and remediation |
| 61 | +
|
| 62 | +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. |
| 63 | +- Terminate the suspicious processes and all associated children and parents. |
| 64 | +- Implement network-level controls to block traffic to the destination.ip. |
| 65 | +- Conduct a thorough review of the system's configuration files to identify unauthorized changes. |
| 66 | +- Reset credentials for any accounts associated with the source machine. |
| 67 | +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. |
| 68 | +""" |
| 69 | + |
| 70 | +[[rule.threat]] |
| 71 | +framework = "MITRE ATT&CK" |
| 72 | + |
| 73 | +[rule.threat.tactic] |
| 74 | +id = "TA0011" |
| 75 | +name = "Command and Control" |
| 76 | +reference = "https://attack.mitre.org/tactics/TA0011/" |
0 commit comments