PANW-IP-000008 - The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.

Information

Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack.

The logs should identify what servers, destination addresses, applications, or databases were potentially attacked by logging communications traffic between the target and the attacker. All commands that were entered by the attacker (such as account creations, changes in permissions, files accessed, etc.) during the session should also be logged when capturing for forensic analysis.

Packet captures of attack traffic can be used by forensic tools for analysis for example, to determine if an alert is real or a false alarm or for forensics for threat intelligence. Configure the packet capture filters so that the CPU is not overloaded. There are many reasons for a packet capture. This requirement addresses the case where the capture is based on forensics for a detected malicious attack and the traffic is being captured in association with that traffic. Filtering should be engaged to facilitate forensics.

Solution

This procedure will only capture the first packet. See the vendor documentation for further information.

Go to Objects >> Security Profiles >> Antivirus
Select the name of a configured Antivirus Profile or select 'Add' to create a new one.
In the 'Antivirus Profile' window, complete the required fields.
In the 'Antivirus' tab, select the 'Packet Capture' check box.
Select 'OK'.

Configure an Anti-Spyware Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Anti-Spyware
Select the name of a configured Anti-Spyware Profile or select 'Add' to create a new one.
In the 'Anti-Spyware Profile' window, complete the required fields in all tabs.
In the 'Rules' tab, select the name of a configured Anti-Spyware Rule or select 'Add' to create a new one.
In the 'Anti-Spyware Rule' window, in the 'Packet Capture' field, select 'extended-capture'.
Select 'OK'.
Select 'OK' again.

Configure a Vulnerability Protection Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Vulnerability Protection
Select the name of a configured Vulnerability Protection Profile or select 'Add' to create a new one.
In the 'Vulnerability Protection Profile' window, complete the required fields.
In the 'Rules' tab, select the name of a configured Vulnerability Protection Rule or select 'Add' to create a new one.
In the 'Vulnerability Protection Rule' window, in the 'Packet Capture' field, select 'extended-capture'.
Select 'OK'.
Select 'OK' again.

Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy.
Go to Policies >> Security
Select an existing policy rule or select 'Add' to create a new one.
In the 'Actions tab in the Profile Setting section:
In the 'Profile Type' field, select 'Profiles'. The window will change to display the different categories of Profiles.
In the 'Antivirus' field, select the configured Antivirus Profile.
In the 'Anti-Spyware' field, select the configured Anti-Spyware Profile.
In the 'Vulnerability Protection' field, select the configured Vulnerability Protection Profile.
Select 'OK'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen. Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y22M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-000134, Rule-ID|SV-207690r559743_rule, STIG-ID|PANW-IP-000008, STIG-Legacy|SV-77141, STIG-Legacy|V-62651, Vuln-ID|V-207690

Plugin: Palo_Alto

Control ID: 6dfaf7558910526e560227700ba3ab31163162f5b4c045ae99386ba6e67327bd