- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-13-2024 07:24 PM
Attention: JAPAC TPM team
I would like to know the following about Correlation Object (Beacon Detection) event generation.
We recognize that Beacon Detection defines how many times a malicious activity (e.g. access to threat URL) in a given period of time from the following descriptions.
[Correlation Object]
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-...
-----
Each pattern has a severity rating, and a threshold for the number of times the pattern match must occur within a defined time limit to indicate malicious activity.
When the match conditions are met, a correlated event is logged.
-----
WebGUI description of Beacon Detection (Monitor > Automated Correlation Engine > Correlation Objects):
-----
This correlation object detects likely compromised hosts based on activity that resembles command-and-control (C2) beaconing, such as repeated visits to recently registered domains or dynamic DNS domains, repeated file downloads from the same location, generation of unknown traffic, etc.
-----
About the Beacon Detection,
Can you please tell me the exact value of a threshold for the number of times?
Also, can you tell us how long period is specified to detect malicious activity?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!