Recently on my SIEM console. I could observe the web traffic from the internal host machine towards the blacklisted IP over the port 443. Alert was flagged by the PaSeries (Palo alto firewall). Two events I have observed
1) CryptoMiner.Gen Malicious Script Detection
First event contains below information
ThreatID=CryptoMiner.Gen Malicious Script Detection(18024)
Second event contains below information
Based on the above events I assume , From the web browser this traffic would have been generated because it was mentioned as (Application=web-browsing) and the threat Id contains CryptoMiner.Gen Malicious Script Detection , probably some js script will be present in browser which may cause this traffic.
On first event CryptoMiner.Gen Malicious Script Detection, action is mentioned as reset-both. it means that connection was unsuccessful ?
But on second event Traffic End, action is mentioned as allow but on my payload i am unable to view Session End Reason field to determine the actual reason of traffic end.
Since I am new to analyse the paloalto logs. Please advise do i need to take any action for the above events.
Thanks in Advance
Reset-both means that the PAN send a rest packet to both the server and the client to terminate the connection, so yes the connection was successful but the PAN saw bad stuff and reset the connections. Also check the 'Type or Log Subtype', depends on which log you are looking at, column as it often also has useful info.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!