This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

About Correlation Object Detection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

About Correlation Object Detection

S.Kawamoto
L0 Member

‎11-13-2024 07:24 PM

Attention: JAPAC TPM team

 

I would like to know the following about Correlation Object (Beacon Detection) event generation.
We recognize that Beacon Detection defines how many times a malicious activity (e.g. access to threat URL) in a given period of time from the following descriptions.

[Correlation Object]
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/use-the-automated-correlation-...
-----
Each pattern has a severity rating, and a threshold for the number of times the pattern match must occur within a defined time limit to indicate malicious activity.
When the match conditions are met, a correlated event is logged.
-----

WebGUI description of Beacon Detection (Monitor > Automated Correlation Engine > Correlation Objects):
-----
This correlation object detects likely compromised hosts based on activity that resembles command-and-control (C2) beaconing, such as repeated visits to recently registered domains or dynamic DNS domains, repeated file downloads from the same location, generation of unknown traffic, etc.
-----

About the Beacon Detection,
Can you please tell me the exact value of a threshold for the number of times?
Also, can you tell us how long period is specified to detect malicious activity?

0 Likes Likes
0 REPLIES 0
  • 33 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks