Palo Alto Firewalls - Detection Rules

Intro

Rule: PANW Firewall Traffic to Phishing URL Allowed

Severity

High

Detection Details

Detects when the Palo Alto Networks firewall does not block traffic to a URL known to be used in phishing attacks.
An adversary can abuse this by directing victims to the phishing site, potentially stealing credentials, deploying malware, or conducting other malicious activities.

Mitre ID

Execution (T1204)

Graylog Query

syslog_type:palo_alto_fw AND event_log_name:THREAT AND pan_log_subtype:url AND alert_category:phishing AND (event_severity:critical OR event_severity:high OR event_severity:medium) AND !vendor_event_action:deny AND !vendor_event_action:drop AND !vendor_event_action:reset AND !vendor_event_action:block

Rule: PANW Firewall Traffic to Malicious URL Allowed

Severity

High

Detection Details

Detects when the Palo Alto Networks firewall does not block traffic to a URL associated with malware distribution or operation.
This typically indicates a lapse in the firewall’s threat intelligence or a misconfiguration.
An adversary can abuse this by using the unblocked URL to download malware onto a target system, establish a command and control channel, or exfiltrate data.

Mitre ID

Execution (T1204)

Graylog Query

syslog_type:palo_alto_fw AND event_log_name:THREAT AND pan_log_subtype:url AND alert_category:malware AND (event_severity:critical OR event_severity:high OR event_severity:medium) AND !vendor_event_action:deny AND !vendor_event_action:drop AND !vendor_event_action:reset AND !vendor_event_action:block

Rule: PANW Firewall Virus Allowed

Severity

High

Detection Details

Detects active network communication associated with known malware that is being allowed by the Palo Alto Networks firewall.
This may indicate an ongoing security threat, where malicious traffic is bypassing firewall protections, potentially leading to system compromise, data exfiltration, or further infiltration within the network.

Mitre ID

Command and Control (T1071)

Graylog Query

syslog_type:palo_alto_fw AND event_log_name:THREAT AND pan_log_subtype:virus AND !vendor_event_action:deny AND !vendor_event_action:drop AND !vendor_event_action:reset AND !vendor_event_action:block

Rule: PANW Firewall TOR Traffic Allowed

Severity

High

Detection Details

Detects allowed network traffic to the TOR network. Adversaries can use TOR to anonymize their network activity, bypass security controls, and evade detection while conducting malicious operations.
This could lead to unauthorized access, data exfiltration, and compliance violations if deemed malicious.

Mitre ID

Command and Control (T1090)

Graylog Query

syslog_type:palo_alto_fw AND event_log_name:TRAFFIC AND application_name:tor AND vendor_event_action:allow

Rule: PANW Firewall Medium Severity Correlation Event Detected

Severity

Medium

Detection Details

Detects medium severity correlation events generated by Palo Alto Networks firewall’s automated correlation engine.
The correlation engine connects isolated network events and looks for patterns that indicate a more significant event.
This helps identify suspicious traffic patterns and network anomalies which, when correlated, indicate with a high probability that a host on the network has been compromised.

Mitre ID

Command and Control (T1071)
Command and Control (T1095)
Initial Access (T1190)

Graylog Query

syslog_type:palo_alto_fw AND event_log_name:CORRELATION AND vendor_alert_severity:medium