topic How to detect beaconing in Cortex XDR Discussions

How to detect beaconing

christowner — Fri, 17 Jan 2020 11:22:26 GMT

Is there any way to use XDR or the NGFW logs to detect beaconing?

Re: How to detect beaconing

mperlman — Sun, 19 Jan 2020 20:26:17 GMT

There are many ways we can detect C2 (beaconing) activities using the Cortex XDR, we can do it by looking on the endpoint and or the network data, take a look here for a few examples of the detections we have in the product

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference.html

In addition for that we have many more ways to detect using C2 as an example protecting the endpoint.

Menachem.

Re: How to detect beaconing

christowner — Mon, 20 Jan 2020 08:42:34 GMT

Thanks, Menachem.

I can see there are several built in detections. What I was looking for was a way to use the Investigation > Query Builder (or NGFW logs) to detect beaconing where the built in detectors haven't identified the events. The kind of traffic I was hoping to detect was regular connections to the same IP address/domain where that domain wasn't necessarily malicious (or randomly generated).

Re: How to detect beaconing

mperlman — Mon, 20 Jan 2020 14:01:51 GMT

Hi Christowner,

You can leverage the existing pre-built in query builder to query and do threat hunting for different C2 activities like attackers leveraging regular connections to hide their channels or attackers using benign domains or files, Cortex XDR have multiple methods to detect attackers from pre-built in ML algorithms to rules or signatures and you can also create your own different queries for detection.

If you have a specific type of attack you would like to know feel free to send me PM or post it here.

Menachem.

Re: How to detect beaconing

christowner — Mon, 20 Jan 2020 16:08:16 GMT

Hi Menachem,

Thanks again. The exact attack is where C&C beaconing occurs using HTTPS to a domain at 10 second intervals. I have the domain details now, so I can query the NGFW and XDR logs for the data. What I am trying to do is work out how I would be able to find this traffic if I didn't already know the domain. The XDR logs do not show network beaconing at 10 second intervals as the same source process made repeated HTTPS requests (so it only shows the requests at 5-20 minute intervals as associated with a process). The NGFW does show the exact traffic, but I don't see a way to create a query that shows any domain access that repeats at regular intervals (or to query the NGFW at all in XDR, outside of Explore).

Thanks for your continued help,

Chris.

Re: How to detect beaconing

mperlman — Mon, 20 Jan 2020 16:07:58 GMT

Thank you for elaborating more,

Behind the scenes we look on connection to domains in order to detect abnormal activities, in the Cortex XDR UI we display the information rounded to minutes or hours depends on the type of the detection.

You are correct that using the Explore app you can see the actual data once you have the URL you are looking for.

I opened feature request to allow user to query for URLs on specific intervals.

Menachem.