03-20-2019 06:23 AM - edited 03-20-2019 06:24 AM
We are see numerous alarms from our SIEM from our Palo Alto firewall. Here is a copy of a scrubbed log message below. When asking the user about their activity, they only RDP'ed into various servers from their laptop via the Globalprotect VPN for remote admin work and ran a batch file that re-maps drives. Additionally they noted browsing to \\<dcserver>\netlogon and that it seem to take long to enumerate directory. Also full AV endpoint scans show clean. Is this s false-positive?
| "03 18 2019 09:21:11 10.100.100.5 <USER:WARN> Mar 18 09:21:11 <FWname> 1,2019/03/18 09:21:11,001701011085,THREAT,virus,2049,2019/03/18 09:21:11,192.168.201.217,10.5.5.3,0.0.0.0,0.0.0.0,GPVPN to Inside Always_byApp,<domainname>, <username>,ms-ds-smbv3,vsys1,SSLVPN,Inside,tunnel.99,ethernet1/1,SIEM,2019/03/18 09:21:11,238186,1,51009,445,0,0,0x2000,tcp,drop,"",Virus/Win32.WGeneric.yurld(258226020),any,medium,server-to-client,55139558,0x2000000000000000,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,,0,,,0,,,,,,,,0,0,0,0,0,,sc-fw-pan-01,,,,,0,,0,,N/A,pe,Antivirus-2921-3431,0x0,0,4294967295," |
