Fortinet - Beacon pattern detected

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing. Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern. The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4. Increase the lookback period to capture beacons with larger

Attribute Value
Type Analytic Rule
Solution Standalone Content
ID 3255ec41-6bd6-4f35-84b1-c032b18bbfcb
Severity Low
Kind Scheduled
Tactics CommandAndControl
Techniques T1071, T1571
Required Connectors Fortinet
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
CommonSecurityLog DeviceVendor == "Fortinet" ?

Associated Connectors

The following connectors provide data for this content item:

Connector Solution
CefAma Common Event Format
CloudNSSAuditLogs_ccp Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp Zscaler Internet Access
CloudNSSDNSLogs_ccp Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp Zscaler Internet Access
CloudNSSFWLogs_ccp Zscaler Internet Access
CloudNSSTunnelLogs_ccp Zscaler Internet Access
CloudNSSWebLogs_ccp Zscaler Internet Access
VirtualMetricDirectorProxy VirtualMetric DataStream
VirtualMetricMSSentinelConnector VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules