1024: Beaconing activity detected: using active list chaining

Document created by tinacostilla on Sep 14, 2012Last modified by tliu on Jul 8, 2014
Version 2Show Document
  • View in full screen mode

1024

Beaconing activity detected: using active list chaining

Speaker: Eric Wadlin, SRA

Attend this session and learn how to track network connections through time. We’ll demonstrate a straightforward solution for finding beaconing activity, and we’ll explore its benefits and drawbacks. We’ll also give you specific reasons why filtering some types of events out of the set of beaconing lists and rules will improve performance. These rules and lists can be used with any device type that reports source and destination IP addresses to ArcSight. In addition, we’ll discuss how the use of multiple active lists will eliminate the false positives created by a large number of connections over a short period of time. (This solution will not use ArcSight's statistical functions.)

 

 

Attachments

Outcomes