How to detect beaconing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to detect beaconing

L1 Bithead

Is there any way to use XDR or the NGFW logs to detect beaconing?

1 accepted solution

Accepted Solutions

Thank you for elaborating more, 

Behind the scenes we look on connection to domains  in order to detect abnormal activities,  in the Cortex XDR UI we display the information rounded to minutes or hours depends on the type of the detection.

You are correct that using the Explore app you can see the actual data once you have the URL you are looking for.

 

I opened feature request to allow user to query for URLs on specific intervals. 

 

Menachem. 

View solution in original post

5 REPLIES 5

L1 Bithead

There are many ways we can detect C2 (beaconing) activities using the Cortex XDR, we can do it by looking on the endpoint and or the network data, take a look here for a few examples of the detections we have in the product

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-... 

In addition for that we have many more ways to detect using C2 as an example protecting the endpoint.

 

Menachem. 

Thanks, Menachem.

 

I can see there are several built in detections. What I was looking for was a way to use the Investigation > Query Builder (or NGFW logs) to detect beaconing where the built in detectors haven't identified the events. The kind of traffic I was hoping to detect was regular connections to the same IP address/domain where that domain wasn't necessarily malicious (or randomly generated). 

Hi Christowner,

 

You can leverage the existing pre-built in query builder to query and do threat hunting for different C2 activities like attackers leveraging regular connections to hide their channels or attackers using benign domains or files, Cortex XDR have multiple methods to detect attackers from pre-built in ML algorithms to rules or signatures and you can also create your own different queries for detection.

 

If you have a specific type of attack you would like to know feel free to send me PM or post it here. 

 

Menachem.    

Hi Menachem,

 

Thanks again. The exact attack is where C&C beaconing occurs using HTTPS to a domain at 10 second intervals. I have the domain details now, so I can query the NGFW and XDR logs for the data. What I am trying to do is work out how I would be able to find this traffic if I didn't already know the domain. The XDR logs do not show network beaconing at 10 second intervals as the same source process made repeated HTTPS requests (so it only shows the requests at 5-20 minute intervals as associated with a process). The NGFW does show the exact traffic, but I don't see a way to create a query that shows any domain access that repeats at regular intervals (or to query the NGFW at all in XDR, outside of Explore).

 

Thanks for your continued help,

Chris.

Thank you for elaborating more, 

Behind the scenes we look on connection to domains  in order to detect abnormal activities,  in the Cortex XDR UI we display the information rounded to minutes or hours depends on the type of the detection.

You are correct that using the Explore app you can see the actual data once you have the URL you are looking for.

 

I opened feature request to allow user to query for URLs on specific intervals. 

 

Menachem. 

  • 1 accepted solution
  • 11276 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!