PANW and Elastic Defend - Command and Control Correlation

 1[metadata]
 2creation_date = "2025/11/18"
 3integration = ["endpoint", "panw"]
 4maturity = "production"
 5updated_date = "2025/11/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
11the source process performing the network activity.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "PANW and Elastic Defend - Command and Control Correlation"
18references = [
19    "https://attack.mitre.org/tactics/TA0011/",
20    "https://www.elastic.co/docs/reference/integrations/panw",
21    "https://www.elastic.co/docs/reference/integrations/endpoint"
22]
23risk_score = 47
24rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "OS: Linux",
29    "OS: Windows",
30    "OS: macOS",
31    "Use Case: Threat Detection",
32    "Tactic: Command and Control",
33    "Data Source: Elastic Defend",
34    "Data Source: PAN-OS",
35    "Resources: Investigation Guide",
36]
37type = "eql"
38query = '''
39sequence by source.port, source.ip, destination.ip with maxspan=1m
40 [network where event.module == "panw" and event.action == "c2_communication"]
41 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
42'''
43note = """## Triage and analysis
44
45### Investigating PANW and Elastic Defend - Command and Control Correlation
46
47### Possible investigation steps
48
49- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend).
50- Review the process details like command_line, privileges, global relevance and reputation.
51- Assess the destination.ip reputation and global relevance.
52- Review the parent process execution details like command_line, global relevance and reputation.
53- Examine all network connection details performed by the process during last 48h.
54- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
55
56### False positive analysis
57
58- Trusted system or third party processes performing network activity that looks like beaconing.
59
60### Response and remediation
61
62- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
63- Terminate the suspicious processes and all associated children and parents.
64- Implement network-level controls to block traffic to the destination.ip.
65- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
66- Reset credentials for any accounts associated with the source machine.
67- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
68"""
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72
73[rule.threat.tactic]
74id = "TA0011"
75name = "Command and Control"
76reference = "https://attack.mitre.org/tactics/TA0011/"