There are many ways we can detect C2 (beaconing) activities using the Cortex XDR, we can do it by looking on the endpoint and or the network data, take a look here for a few examples of the detections we have in the product
In addition for that we have many more ways to detect using C2 as an example protecting the endpoint.
I can see there are several built in detections. What I was looking for was a way to use the Investigation > Query Builder (or NGFW logs) to detect beaconing where the built in detectors haven't identified the events. The kind of traffic I was hoping to detect was regular connections to the same IP address/domain where that domain wasn't necessarily malicious (or randomly generated).
You can leverage the existing pre-built in query builder to query and do threat hunting for different C2 activities like attackers leveraging regular connections to hide their channels or attackers using benign domains or files, Cortex XDR have multiple methods to detect attackers from pre-built in ML algorithms to rules or signatures and you can also create your own different queries for detection.
If you have a specific type of attack you would like to know feel free to send me PM or post it here.
Thanks again. The exact attack is where C&C beaconing occurs using HTTPS to a domain at 10 second intervals. I have the domain details now, so I can query the NGFW and XDR logs for the data. What I am trying to do is work out how I would be able to find this traffic if I didn't already know the domain. The XDR logs do not show network beaconing at 10 second intervals as the same source process made repeated HTTPS requests (so it only shows the requests at 5-20 minute intervals as associated with a process). The NGFW does show the exact traffic, but I don't see a way to create a query that shows any domain access that repeats at regular intervals (or to query the NGFW at all in XDR, outside of Explore).
Thanks for your continued help,
Thank you for elaborating more,
Behind the scenes we look on connection to domains in order to detect abnormal activities, in the Cortex XDR UI we display the information rounded to minutes or hours depends on the type of the detection.
You are correct that using the Explore app you can see the actual data once you have the URL you are looking for.
I opened feature request to allow user to query for URLs on specific intervals.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!