Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=palo-alto-cases

Palo Alto integration case studies

Log collector Firewall

The Sophos MDR team escalated the following case for Palo Alto.

The case

On February 7th, MDR was alerted to a XDR-palo-alto-Command-and-Control in your estate. These alerts were generated from network traffic unmanaged host xx.x.xx.xxx to the IPs xx.xx.xxx.xxx and xxx.xxx.xx.xxx over port 53. The alert is for an unactioned Cobalt Strike C2 detection. Further investigation into the alert found the IP xxx.xxx.xx.xxx to be benign as it resolves to redacted[.]co[.]nz however the IP xx.xx.xxx.xxx is a known malicious IP geo-located in Beijing, China. We investigated processes, network activity, files, and logs and did not observe malicious activity for the hosts with IPs xx.x.xx.xxx and xx.x.xx.xxx. We also investigated them for common areas of persistence, such as reverse shells, startup items, processes with the LD_PRELOAD environment variable set, and did not observe malicious activity. Please let us know if you have any further questions or concerns. At this time, we ask you follow our recommendations listed below.

Recommendations

Block the malicious IP xx.x.xx.xxx at your network perimeter.