PANDORICA (Palo Alto Networks DNS Obsolete Record Interchange Capability Assessment)

Why, exactly, do we swap certain DNS C2 domains in and out of Palo Alto Networks firewalls daily? Pandorica provides insight into this question and others by collecting this data from Palo Alto's daily antivirus release notes, aggregating it, and displaying it in Kibana dashboards.

Pipeline overview

These are the steps involved in the Pandorica pipeline.

• Download notes: Get the latest AV update notes from the internal PAN engineering tools server. We determine which version is the latest version by asking a firewall configured to download latest AV updates daily.
• Parse notes: Parse out added/removed domains and their associated threat headers. Write each to the Elasticsearch database.
• Tag domains: Find all untagged and non-generic domains in Elasticsearch. Ask AutoFocus for the first tag associated with each and write it back to Elasticsearch.
• Calculate intervals: Calculate any domain residence/reinsert intervals we haven't calculated yet. Write these intervals to Elasticsearch.

Vocabulary

Residence/reinsert interval

Residence/reinsert times are metrics to express how long a domain has spent in or out of the firewall.

A specific incidence of a domain either has a residence interval, a reinsert interval, or neither (never both). If the domain was just removed, the residence time is how long it's been since we last inserted it--how long this domain has spent in the firewall. If it was just added, the reinsert time is how long it's been since we last removed it--how long this domain has spent out of the firewall. If we've never seen this domain before, both metrics are undefined.

More questions?

Please forward any questions about Pandorica that are not answered in this wiki to the author or the SP-Solutions team at Palo Alto Networks.