diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml new file mode 100644 index 00000000000..4ed6298ead7 --- /dev/null +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2025/11/18" +integration = ["endpoint", "panw"] +maturity = "production" +updated_date = "2025/11/18" + +[rule] +author = ["Elastic"] +description = """ +This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify +the source process performing the network activity. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] +language = "eql" +license = "Elastic License v2" +name = "PANW and Elastic Defend - Command and Control Correlation" +references = [ + "https://attack.mitre.org/tactics/TA0011/", + "https://www.elastic.co/docs/reference/integrations/panw", + "https://www.elastic.co/docs/reference/integrations/endpoint" +] +risk_score = 47 +rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: PAN-OS", + "Resources: Investigation Guide", +] +type = "eql" +query = ''' +sequence by source.port, source.ip, destination.ip with maxspan=1m + [network where event.module == "panw" and event.action == "c2_communication"] + [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] +''' +note = """## Triage and analysis + +### Investigating PANW and Elastic Defend - Command and Control Correlation + +### Possible investigation steps + +- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend). +- Review the process details like command_line, privileges, global relevance and reputation. +- Assess the destination.ip reputation and global relevance. +- Review the parent process execution details like command_line, global relevance and reputation. +- Examine all network connection details performed by the process during last 48h. +- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity. + +### False positive analysis + +- Trusted system or third party processes performing network activity that looks like beaconing. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the suspicious processes and all associated children and parents. +- Implement network-level controls to block traffic to the destination.ip. +- Conduct a thorough review of the system's configuration files to identify unauthorized changes. +- Reset credentials for any accounts associated with the source machine. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"