Analytics Story: Prohibited Traffic Allowed or Protocol Mismatch
Description
Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.
Why it matters
A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Palo Alto Network Traffic | Network | pan:traffic |
screenconnect_palo_traffic |
Powershell Script Block Logging 4104 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 22 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 1