Palo Alto Networks Next-Generation Firewalls (NGFWs) are enterprise-level firewalls. The Palo Alto NGFW's use a combination of signature-based detection, behaviour analysis, and machine learning to identify threats. Palo Alto claims they analyze network traffic patterns and application behaviour to detect anomalies. Palo Alto also has its own Threat Intelligence (Threat Vault) to identify threat actors. This blog post will showcase how to create Azure Sentinel SIEM use cases based on Palo Alto NGFW's Command and Control (C2) alerts, general exploits with published PoCs, malware, viruses and spyware, and malicious URLs.
Palo Alto Security Configuration
First of all, make sure to set the correct blocking rules in your Palo Alto Networks (PAN) PAN-OS configuration. Next, forward your Palo Alto "THREAT" log data to your Linux Rsyslog server, which in turn forwards the useful threat events to Azure Sentinel SIEM via the Azure Monitor Agent (AMA). Lastly, install the Palo Alto AMA data connector in Azure Sentinel.
Once you have your Palo Alto NGFW log data in Log Analytics Sentinel SIEM, you can leverage the built-in Analytics Rules and Workbooks. Unfortunately, the built-in Azure Sentinel Analytics Rules (use cases) are rather generic and do not bring the necessary depth and details for the SOC team to act fast during a security incident. This is why Cryptsus is sharing the custom Analytics Rules (use cases) for threat hunting use cases for possible malicious activity, including IoAs and IoCs based on the MITRE ATT&CK framework. Luckily, the default Sentinel SIEM parser is working correctly. However, the Threat Vault signature IDs are inconveniently parsed. This is why we customized the KQL (Kusto Query Language) code for an easy lookup of the Palo Alto Threat Vault threat signature for each alert.
1. Palo Alto firewall detects Command and Control payload
//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID contains "Command and Control"
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where isnotempty(RequestURL)
| summarize Amount=count() by RequestURL, DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol
Example result. A reverse shell web shell was detected:
RequestURL DeviceName SignatureName ThreatVaultURL ApplicationProtocol DeviceEventCategory Activity DeviceAction SourceIP DestinationIP DestinationPort Protocol
paribosyn.lu:5007/web_shell_cmd.gch PA_PAN_10_DMZ01_NY Generic Webshell Command and Control Traffic Detection https://threatvault.paloaltonetworks.com/?query=83227 web-browsing spyware THREAT reset-server 45.148.10.88 192.180.10.102 5007 tcp
2. Palo Alto NGFW detects malware (virus)
//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID has_any ("ml-virus", "virus", "flood", "spyware" "wildfire-virus")
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where isnotempty(RequestURL)
| summarize Amount=count() by RequestURL, DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol, LogSeverity
Example result. A malicious binary was detected. Unfortunately, Palo Alto does not provide a file hash checksum of the binary in the log entry:
RequestURL DeviceName SignatureName ThreatVaultURL ApplicationProtocol DeviceEventCategory Activity DeviceAction SourceIP DestinationIP DestinationPort Protocol
icmp_rev.exe PA_PAN_10_DMZ01_NY Machine Learning found virus https://threatvault.paloaltonetworks.com/?query=599800 ms-ds-smbv3 ml-virus THREAT reset-both 45.148.10.88 192.180.10.102 445 tcp
3. Palo Alto firewall attacks which are not blocked
//cryptsus.com - we craft cyber security solutions
//Palo Alto IDS/IPS is based on Threat Vault. Search signatureID here: https://threatvault.paloaltonetworks.com/
CommonSecurityLog
| extend ThreatVaultBaseURL = 'https://threatvault.paloaltonetworks.com/?query='
| where DeviceVendor == "Palo Alto Networks"
| where Activity == "THREAT"
| where DeviceAction == "alert"
| extend split(DeviceEventClassID,'(')
| extend SignatureName=DeviceEventClassID[0]
| extend SignatureIDcat=DeviceEventClassID[1]
| extend SignatureID = substring(SignatureIDcat, 0, strlen(SignatureIDcat) - 1)
| extend ThreatVaultURL = strcat(ThreatVaultBaseURL, SignatureID)
| where SignatureName != "Microsoft Windows NTLMSSP Detection"
| summarize by DeviceName, tostring(SignatureName), ThreatVaultURL, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol
Example result. smbcrackexec was detected trying to exploit Windows SMB:
DeviceName SignatureName ThreatVaultURL ApplicationProtocol DeviceEventCategory Activity DeviceAction SourceIP DestinationIP DestinationPort Protocol
pavmhuba2848000001 Microsoft Windows user enumeration https://threatvault.paloaltonetworks.com/?query=30842 ms-ds-smbv3 vulnerability THREAT alert 45.148.10.88 192.180.10.102 445 tcp
4. Palo Alto firewall blocked URL's
//cryptsus.com - we craft cyber security solutions
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceEventClassID == "url"
| where isnotempty(RequestURL)
| summarize Amount=count() by RequestURL, DeviceName, ApplicationProtocol, DeviceEventCategory, Activity, DeviceAction, SourceIP, DestinationIP, DestinationPort, Protocol
Example result. This website was flagged by a user clicking on a malicious phishing e-mail:
RequestURL DeviceName ApplicationProtocol DeviceEventCategory Activity DeviceAction SourceIP DestinationIP DestinationPort Protocol
http://www.824555.com PA_PAN_10_DMZ01_NY web-browsing (9999) threat-hunting THREAT block-url 45.148.10.88 192.180.10.102 2038 tcp
There are many other use-cases and alerts which can be created based on your environment and business risks. Are you missing important alerts? Is your SIEM outdated? Contact us if you want to take your SIEM to the next level.