elastic · Samirbous · Nov 24, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 24, 2025
diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml
@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2025/11/18"
+integration = ["endpoint", "panw"]
+maturity = "production"
+updated_date = "2025/11/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
+the source process performing the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-default*", "logs-panw.panos-default-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "PANW Command and Control Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "da4f56b8-9bc5-4003-a46c-d23616fbc691"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: PAN-OS",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "panw" and event.action == "c2_communication"]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating PANW Command and Control Correlation
+
+### Possible investigation steps
+
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"