About christowner

Hi  Menachem,   Thanks again. The exact attack is where C&C beaconing occurs using HTTPS to a domain at 10 second intervals. I have the domain details now, so I can query the NGFW and XDR logs for the data. What I am trying to do is work out how I would be able to find this traffic if I didn't already know the domain. The XDR logs do not show network beaconing at 10 second intervals as the same source process made repeated HTTPS requests (so it only shows the requests at 5-20 minute intervals as associated with a process). The NGFW does show the exact traffic, but I don't see a way to create a query that shows any domain access that repeats at regular intervals (or to query the NGFW at all in XDR, outside of Explore).   Thanks for your continued help, Chris. ... View more

Thanks,  Menachem.   I can see there are several built in detections. What I was looking for was a way to use the Investigation > Query Builder (or NGFW logs) to detect beaconing where the built in detectors haven't identified the events. The kind of traffic I was hoping to detect was regular connections to the same IP address/domain where that domain wasn't necessarily malicious (or randomly generated).  ... View more