From a324306f31a082e10baa28986696660db5e80b7b Mon Sep 17 00:00:00 2001 From: Samirbous Date: Tue, 18 Nov 2025 11:42:43 +0000 Subject: [PATCH 1/7] [New] PANW Command and Control Correlation This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify the source process performing the network activity. --- ...and_and_control_pan_elastic_defend_c2.toml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml new file mode 100644 index 00000000000..b3aba0d6a2e --- /dev/null +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2025/11/18" +integration = ["endpoint", "panw"] +maturity = "production" +updated_date = "2025/11/18" + +[rule] +author = ["Elastic"] +description = """ +This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify +the source process performing the network activity. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-default*", "logs-panw.panos-default-*"] +language = "eql" +license = "Elastic License v2" +name = "PANW Command and Control Correlation" +references = [ + "https://attack.mitre.org/tactics/TA0011/", + "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate", + "https://www.elastic.co/docs/reference/integrations/endpoint" +] +risk_score = 47 +rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: PAN-OS", + "Resources: Investigation Guide", +] +type = "eql" +query = ''' +sequence by source.port, source.ip, destination.ip with maxspan=1m + [network where event.module == "panw" and event.action == "c2_communication"] + [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] +''' +note = """## Triage and analysis + +### Investigating PANW Command and Control Correlation + +### Possible investigation steps + +- Review the process details like command_line, privileges, global relevance and reputation. +- Assess the destination.ip reputation and global relevance. +- Review the parent process execution details like command_line, global relevance and reputation. +- Examine all network connection details performed by the process during last 48h. +- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity. + +### False positive analysis + +- Trusted system or third party processes performing network activity that looks like beaconing. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the suspicious processes and all associated children and parents. +- Implement network-level controls to block traffic to the destination.ip. +- Conduct a thorough review of the system's configuration files to identify unauthorized changes. +- Reset credentials for any accounts associated with the source machine. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file From ec6ede8c4e97725da174e15e01b572b403ad3ba9 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 18 Nov 2025 12:08:20 +0000 Subject: [PATCH 2/7] Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../command_and_control_pan_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index b3aba0d6a2e..dbf1cdcb32b 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "PANW Command and Control Correlation" references = [ "https://attack.mitre.org/tactics/TA0011/", - "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate", + "https://www.elastic.co/docs/reference/integrations/panw", "https://www.elastic.co/docs/reference/integrations/endpoint" ] risk_score = 47 From b3a4ab3d755849054f256bc3e2805fc436a50385 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:21:03 +0000 Subject: [PATCH 3/7] Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../command_and_control_pan_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index dbf1cdcb32b..6a9349d277f 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -11,7 +11,7 @@ This detection correlates Palo Alto Networks (PANW) command and control events w the source process performing the network activity. """ from = "now-9m" -index = ["logs-endpoint.events.network-default*", "logs-panw.panos-default-*"] +index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] language = "eql" license = "Elastic License v2" name = "PANW Command and Control Correlation" From a3fcf2996d608e91710f6071f7ab15a408396347 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:29:44 +0000 Subject: [PATCH 4/7] Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../command_and_control_pan_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 6a9349d277f..ab70881dc99 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -72,4 +72,4 @@ framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0011" name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0011/" From 41c232741014812785ae9279642ef2bd3abffcaf Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:30:01 +0000 Subject: [PATCH 5/7] Update rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../command_and_control_pan_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index ab70881dc99..8d250ab3ba6 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] language = "eql" license = "Elastic License v2" -name = "PANW Command and Control Correlation" +name = "PANW/Defend - Command and Control Correlation" references = [ "https://attack.mitre.org/tactics/TA0011/", "https://www.elastic.co/docs/reference/integrations/panw", From 3d6279c9e56b6690f2fbbc3d8c0bc9bc937b1d53 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:31:07 +0000 Subject: [PATCH 6/7] Update command_and_control_pan_elastic_defend_c2.toml --- .../command_and_control_pan_elastic_defend_c2.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 8d250ab3ba6..22b9c471b3c 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] language = "eql" license = "Elastic License v2" -name = "PANW/Defend - Command and Control Correlation" +name = "PANW and Elastic Defend - Command and Control Correlation" references = [ "https://attack.mitre.org/tactics/TA0011/", "https://www.elastic.co/docs/reference/integrations/panw", @@ -42,7 +42,7 @@ sequence by source.port, source.ip, destination.ip with maxspan=1m ''' note = """## Triage and analysis -### Investigating PANW Command and Control Correlation +### Investigating PANW and Elastic Defend - Command and Control Correlation ### Possible investigation steps From affef1b24a5fc2ef763b372f6fd639f8bd83444c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:34:31 +0000 Subject: [PATCH 7/7] Update command_and_control_pan_elastic_defend_c2.toml --- .../command_and_control_pan_elastic_defend_c2.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 22b9c471b3c..4ed6298ead7 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -46,6 +46,7 @@ note = """## Triage and analysis ### Possible investigation steps +- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend). - Review the process details like command_line, privileges, global relevance and reputation. - Assess the destination.ip reputation and global relevance. - Review the parent process execution details like command_line, global relevance and reputation.