Palo Alto Networks

Palo Alto Networks - Leading firewall and cybersecurity solutions.

Provider: Fortinet

Detection Rule MITRE Tactic MITRE Technique Criticality
DNS Tunneling Detection Command and Control Application Layer Protocol (T1071.001) High
Investigation Actions (APIs) Monitor DNS query logs
Analyze response sizes
Incident Creation Criteria Unusually high volume of DNS queries
Frequent DNS requests to rare domains
Suspicious File Transfer Exfiltration Exfiltration Over Command and Control Channel (T1041) High
Investigation Actions (APIs) Retrieve logs of FTP/HTTP file transfers
Analyze file types transferred
Incident Creation Criteria Large files transferred to external IPs
Non-standard file types transferred out
Credential Dumping Attempt Credential Access Credential Dumping (T1003) High
Investigation Actions (APIs) Query logs for use of mimikatz or similar tools
Monitor Windows event logs
Incident Creation Criteria Use of tools known for credential dumping
Unusual access to LSASS memory
Abnormal Endpoint Activity Impact Data Encrypted for Impact (T1486) High
Investigation Actions (APIs) Analyze logs for file encryption events
Retrieve user activity logs
Incident Creation Criteria Significant data encryption by unknown processes
Files being encrypted in large volumes
Ransomware Activity Impact Data Encrypted for Impact (T1486) High
Investigation Actions (APIs) Monitor for rapid file renaming or encryption
Track access to backup files
Incident Creation Criteria Rapid increase in file encryption or renaming attempts
Access to sensitive directories without valid reason
Anomalous Cloud Resource Access Cloud Security Cloud Service Dashboard Access (T1543.003) Medium
Investigation Actions (APIs) Query logs for cloud resource access
Monitor changes to IAM policies
Incident Creation Criteria Access to sensitive cloud resources from unrecognized IPs
Changes to security groups or IAM roles
Suspicious API Calls Collection Data from Information Repositories (T1213) Medium
Investigation Actions (APIs) Monitor API logs for unauthorized access
Analyze traffic patterns to cloud APIs
Incident Creation Criteria API calls made outside of normal hours
Access to sensitive APIs by unrecognized users
Unauthorized User Privilege Escalation Privilege Escalation Privilege Escalation via Exploit (T1068) High
Investigation Actions (APIs) Review logs for user privilege changes
Monitor for unusual service account behavior
Incident Creation Criteria Changes in user roles without approval
Access to privileged resources by standard users
Unexpected Geolocation Login Initial Access Valid Accounts (T1078) High
Investigation Actions (APIs) Analyze login logs for geolocation data
Query for successful logins from unusual locations
Incident Creation Criteria Logins from multiple geographic locations in a short time frame
Access from countries not associated with the organization
Anomalous Protocol Usage Command and Control Application Layer Protocol (T1071) Medium
Investigation Actions (APIs) Monitor traffic for use of non-standard protocols
Analyze packet captures for anomalies
Incident Creation Criteria Use of unusual or deprecated protocols (e.g., Telnet)
High traffic volume on rare ports

APIs and Their Scopes

Detection Rule API Required API Scope
DNS Tunneling Detection getDNSLogs read:logs
Suspicious File Transfer getFileTransferLogs read:logs
Credential Dumping Attempt getAuthenticationLogs read:logs
Abnormal Endpoint Activity getFileEncryptionEvents read:logs
Ransomware Activity getFileActivityLogs read:logs
Anomalous Cloud Resource Access getCloudResourceAccessLogs read:logs
Suspicious API Calls getAPICalls read:logs
Unauthorized User Privilege Escalation getUserPrivilegeChanges read:logs
Unexpected Geolocation Login getLoginLogs read:logs
Anomalous Protocol Usage getTrafficLogs read:logs

Reports and Widgets for CISO

Report Name Widgets Description
Executive Summary Report Total incidents reported High-level overview of security incidents and trends.

Incident trend graph

Risk score summary

Compliance status overview
Incident Response Effectiveness Average response time per incident Evaluation of incident response times and actions taken.

Number of incidents by severity

Top incident categories

Percentage of incidents resolved within SLA
Threat Landscape Overview Top threat actors Insights into the types and sources of threats detected.

Types of malware detected

Source IP addresses of threats

Geolocation of attacks
User Activity Report Number of user logins per department Analysis of user behavior and anomalies.

Anomalous login attempts

Access to sensitive data

Top users with privilege escalations
Data Exfiltration Summary Volume of data transferred out Overview of potential data loss incidents.

Top external destinations

Protocols used for data transfer

Alerts triggered for exfiltration attempts
Firewall Performance Report Total blocked and allowed traffic Metrics on firewall efficacy and performance.

Top blocked applications

Firewall throughput

Number of active sessions
Compliance Posture Report Compliance score Assessment of compliance with industry standards (e.g., GDPR, PCI-DSS).

Compliance checklist status

Non-compliance incidents

Audit trail of changes made
Vulnerability Management Report Number of vulnerabilities identified Summary of vulnerabilities detected and their status.

Critical vs. non-critical vulnerabilities

Remediation status

Vulnerability age analysis
Network Traffic Analysis Top talkers by traffic volume Insights into network behavior and anomalies.

Traffic anomalies detected

Traffic trends over time

Protocol usage breakdown
Policy Violation Report Number of policy violations Summary of incidents where policies were violated.

Types of violations

Users involved in violations

Time to remediation for violations