https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/305924#M79510 <P>Hi All,</P><P>&nbsp;</P><P><SPAN>Recently on my SIEM console. I could observe the web traffic from the internal host machine towards the blacklisted IP over the port 443. Alert was flagged by the PaSeries (Palo alto firewall). Two events I have observed&nbsp;</SPAN></P><P><SPAN>1)&nbsp;&nbsp;CryptoMiner.Gen Malicious Script Detection</SPAN></P><P><SPAN>2)</SPAN>Traffic End</P><P>&nbsp;</P><P><STRONG>First event contains below information</STRONG></P><P>Application=web-browsing</P><P>proto=tcp|action=reset-both</P><P>ThreatID=CryptoMiner.Gen Malicious Script Detection(18024)</P><P>URLCategory=insufficient-content</P><P>Flags=0x81502000</P><P>&nbsp;</P><P><STRONG>Second event contains below information</STRONG></P><P>Application=web-browsing</P><P>proto=tcp|action=allow</P><P>URLCategory=insufficient-content</P><P>totalBytes=25865|dstBytes=24296|srcBytes=1569|totalPackets=27</P><P>Flags=0x1500010.</P><P>&nbsp;</P><P>Based on the above events I assume , From the web browser this traffic would have been generated because it was mentioned as (Application=web-browsing) and the threat Id contains&nbsp;CryptoMiner.Gen Malicious Script Detection , probably some js script will be present in browser which may cause this traffic.</P><P>&nbsp;</P><P>On first event&nbsp;<SPAN>CryptoMiner.Gen Malicious Script Detection, action is mentioned as&nbsp;reset-both. it means that connection was unsuccessful ?</SPAN></P><P><SPAN>But on second event&nbsp;Traffic End, action is mentioned as allow but on my payload i am unable to view Session End Reason&nbsp;field to determine the actual reason of traffic end.</SPAN></P><P>&nbsp;</P><P>Since I am new to analyse the paloalto&nbsp; logs. Please advise do i need to take any action for the above events.</P><P>&nbsp;</P><P>Thanks in Advance</P><P><SPAN>&nbsp;</SPAN></P> Wed, 08 Jan 2020 04:49:57 GMT VyasarVenkat 2020-01-08T04:49:57Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/305924#M79510 <P>Hi All,</P><P>&nbsp;</P><P><SPAN>Recently on my SIEM console. I could observe the web traffic from the internal host machine towards the blacklisted IP over the port 443. Alert was flagged by the PaSeries (Palo alto firewall). Two events I have observed&nbsp;</SPAN></P><P><SPAN>1)&nbsp;&nbsp;CryptoMiner.Gen Malicious Script Detection</SPAN></P><P><SPAN>2)</SPAN>Traffic End</P><P>&nbsp;</P><P><STRONG>First event contains below information</STRONG></P><P>Application=web-browsing</P><P>proto=tcp|action=reset-both</P><P>ThreatID=CryptoMiner.Gen Malicious Script Detection(18024)</P><P>URLCategory=insufficient-content</P><P>Flags=0x81502000</P><P>&nbsp;</P><P><STRONG>Second event contains below information</STRONG></P><P>Application=web-browsing</P><P>proto=tcp|action=allow</P><P>URLCategory=insufficient-content</P><P>totalBytes=25865|dstBytes=24296|srcBytes=1569|totalPackets=27</P><P>Flags=0x1500010.</P><P>&nbsp;</P><P>Based on the above events I assume , From the web browser this traffic would have been generated because it was mentioned as (Application=web-browsing) and the threat Id contains&nbsp;CryptoMiner.Gen Malicious Script Detection , probably some js script will be present in browser which may cause this traffic.</P><P>&nbsp;</P><P>On first event&nbsp;<SPAN>CryptoMiner.Gen Malicious Script Detection, action is mentioned as&nbsp;reset-both. it means that connection was unsuccessful ?</SPAN></P><P><SPAN>But on second event&nbsp;Traffic End, action is mentioned as allow but on my payload i am unable to view Session End Reason&nbsp;field to determine the actual reason of traffic end.</SPAN></P><P>&nbsp;</P><P>Since I am new to analyse the paloalto&nbsp; logs. Please advise do i need to take any action for the above events.</P><P>&nbsp;</P><P>Thanks in Advance</P><P><SPAN>&nbsp;</SPAN></P> Wed, 08 Jan 2020 04:49:57 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/305924#M79510 VyasarVenkat 2020-01-08T04:49:57Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/305997#M79526 <P>Hello,</P><P>Reset-both means that the PAN send a rest packet to both the server and the client to terminate the connection, so yes the connection was successful but the PAN saw bad stuff and reset the connections. Also check the 'Type or Log Subtype', depends on which log you are looking at, column as it often also has useful info.</P><P><A href="https://docs.paloaltonetworks.com/cortex/explore/explore-schema-reference/long-field-descriptions/panw-fields/long-panw-session_end_reason.html" target="_blank">https://docs.paloaltonetworks.com/cortex/explore/explore-schema-reference/long-field-descriptions/panw-fields/long-panw-session_end_reason.html</A></P><P>&nbsp;</P><P>Hope that helps.&nbsp;</P> Wed, 08 Jan 2020 15:25:53 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/305997#M79526 OtakarKlier 2020-01-08T15:25:53Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/306063#M79539 <P>Thank you for the clarification</P> Thu, 09 Jan 2020 03:10:09 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-traffic-from-internal-to-external-ip/m-p/306063#M79539 VyasarVenkat 2020-01-09T03:10:09Z