PANW and Elastic Defend - Command and Control Correlation

[metadata]
creation_date = "2025/11/18"
integration = ["endpoint", "panw"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
description = """
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
the source process performing the network activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
language = "eql"
license = "Elastic License v2"
name = "PANW and Elastic Defend - Command and Control Correlation"
references = [
    "https://attack.mitre.org/tactics/TA0011/",
    "https://www.elastic.co/docs/reference/integrations/panw",
    "https://www.elastic.co/docs/reference/integrations/endpoint"
]
risk_score = 47
rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Linux",
    "OS: Windows",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Command and Control",
    "Data Source: Elastic Defend",
    "Data Source: PAN-OS",
    "Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by source.port, source.ip, destination.ip with maxspan=1m
 [network where event.module == "panw" and event.action == "c2_communication"]
 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
'''
note = """## Triage and analysis

### Investigating PANW and Elastic Defend - Command and Control Correlation

### Possible investigation steps

- Investigate in the Timeline feature the two events matching this correlation (PANW and Elastic Defend).
- Review the process details like command_line, privileges, global relevance and reputation.
- Assess the destination.ip reputation and global relevance.
- Review the parent process execution details like command_line, global relevance and reputation.
- Examine all network connection details performed by the process during last 48h.
- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.

### False positive analysis

- Trusted system or third party processes performing network activity that looks like beaconing.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Terminate the suspicious processes and all associated children and parents.
- Implement network-level controls to block traffic to the destination.ip.
- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
- Reset credentials for any accounts associated with the source machine.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
"""

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"