https://live.paloaltonetworks.com/t5/next-generation-firewall/about-correlation-object-detection/m-p/617602#M5002 <P>Attention: JAPAC TPM team</P> <P>&nbsp;</P> <P>I would like to know the following about Correlation Object (Beacon Detection) event generation.<BR />We recognize that Beacon Detection defines how many times a malicious activity (e.g. access to threat URL) in a given period of time from the following descriptions.<BR /><BR />[Correlation Object]<BR /><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-engine/automated-correlation-engine-concepts/correlation-object" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-engine/automated-correlation-engine-concepts/correlation-object</A><BR />-----<BR />Each pattern has a severity rating, and a threshold for the number of times the pattern match must occur within a defined time limit to indicate malicious activity.<BR />When the match conditions are met, a correlated event is logged.<BR />-----<BR /><BR />WebGUI description of Beacon Detection (Monitor &gt; Automated Correlation Engine &gt; Correlation Objects):<BR />-----<BR />This correlation object detects likely compromised hosts based on activity that resembles command-and-control (C2) beaconing, such as repeated visits to recently registered domains or dynamic DNS domains, repeated file downloads from the same location, generation of unknown traffic, etc.<BR />-----<BR /><BR />About the Beacon Detection,<BR />Can you please tell me the exact value of a threshold for the number of times?<BR />Also, can you tell us how long period is specified to detect malicious activity?</P> Thu, 14 Nov 2024 03:24:45 GMT Kawariver 2024-11-14T03:24:45Z https://live.paloaltonetworks.com/t5/next-generation-firewall/about-correlation-object-detection/m-p/617602#M5002 <P>Attention: JAPAC TPM team</P> <P>&nbsp;</P> <P>I would like to know the following about Correlation Object (Beacon Detection) event generation.<BR />We recognize that Beacon Detection defines how many times a malicious activity (e.g. access to threat URL) in a given period of time from the following descriptions.<BR /><BR />[Correlation Object]<BR /><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-engine/automated-correlation-engine-concepts/correlation-object" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-engine/automated-correlation-engine-concepts/correlation-object</A><BR />-----<BR />Each pattern has a severity rating, and a threshold for the number of times the pattern match must occur within a defined time limit to indicate malicious activity.<BR />When the match conditions are met, a correlated event is logged.<BR />-----<BR /><BR />WebGUI description of Beacon Detection (Monitor &gt; Automated Correlation Engine &gt; Correlation Objects):<BR />-----<BR />This correlation object detects likely compromised hosts based on activity that resembles command-and-control (C2) beaconing, such as repeated visits to recently registered domains or dynamic DNS domains, repeated file downloads from the same location, generation of unknown traffic, etc.<BR />-----<BR /><BR />About the Beacon Detection,<BR />Can you please tell me the exact value of a threshold for the number of times?<BR />Also, can you tell us how long period is specified to detect malicious activity?</P> Thu, 14 Nov 2024 03:24:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/about-correlation-object-detection/m-p/617602#M5002 Kawariver 2024-11-14T03:24:45Z