5.7.2.17. `Beacon detect` screen (Beacon command)

5.7.2.17.1. Introduction

The `Beacon detect` screen is used to:

Activate the engine
Configure detection sensitivity
Define the list of url not to be analyzed and therefore consider them to be healthy

This screen is only accessible to members of the operator group.

5.7.2.17.2. Links associated

The engine is presented in the Beacon detect engine paragraph.
The visualization of the current engine status is given in the `Health checks` screen.
For engine setting implementation, see the Setting up the beacon detect engine procedure.
For implementation of the exception list, see the Managing the Ignore list of the Beacon detect procedure.

5.7.2.17.3. Screen description

After pressing the `Beacon` command on the `Detection Strategy\C&C` menu, the `Beacon detect` screen is displayed.

../../../../_images/GCE103_BEACON_01.PNG

For administrator group members, the following message is displayed: `Error 403:Insufficient permissions`.

Area	Function
`Settings`	Engine settings
`Ignore list`	List of ignored url which are considered healthy

5.7.2.17.4. `Settings` area of the `Beacon detect` screen

The `Settings` area (1) displays the engine settings.

Item	Name	Function
1	`Settings`	Includes all engine settings
2	`Beacon detect activation`	Engine activation zone
3	`Enabled` selector	Activates or deactivates the engine
4	`Gcaps` field	Displays the selected GCaps
5	`Alerts rate limiter` zone	Limits the alerts generated for the same suspicious connection`
6	`Limited amount of alerts generated for the same suspicious connection` selector	Activates the function
7	`Max alert count`	Maximum number of alerts
8	`Time window (hours)`	Duration during which the counting is done
9	`Sensitivity`	Engine sensitivity adjustment zone
10	`Custom-Presets`	Sensitivity level setting slider The sensibility level is the combinaison of the activation of different parameters. This combinaison can be define manually (`Custom` choice) or use predefined settings (`Presets` choice) If cursor is in position `Presets`, setting the sensitivity level is done by the selector `Sensitivity level`. If the selector is in the `Custom` position, the sensitivity level is set by the `Filtered domains` area that appears. For more details see below.
11	`Sensitivity level` slider	Sets sensitivity by preset levels. Default: Standard
12	`Discard changes` button	Cancels current changes
13	`Save changes` button	Saves current changes

5.7.2.17.4.1. Filtered domains area

../../../../_images/GCE103_BEACON_08.PNG

Item	Name	Function
1	`Filtered domains`	Configuration window to filter domains ie the listed domains are considered healthy
2	`Most visited worldwide sites` selector	If used, the domains that correspond to Most visited sites in the world are filtered
3	`Double-check ignored domains with malleable profile detection`	The `Double-check ignored domains with malleable profile detection` is displayed only when `Social media APIs` is displayed. This option only applies to http event-type whose hostname is not an IP address. This option is only used when a hostname associated with a http beaconing connection is present in one of the public ignore lists (known public domains and social network APIs). It is then necessary to verify that the hostname is present in a DNS log and that its IP address (found in the DNS log) corresponds to the dest_ip of the connection. The presence of the hostname in the ignore list but also in the DNS logs confirms that it is a legitimate beacon. The presence of the hostname in the ignore list but not in the DNS logs can indicate the presence of a potentially malicious beacon that has undergone a change in the Host field of the HTTP header. This scan should be performed if there are at least 24 hours of DNS events. These 24 hours are necessary because the default configuration of most DNS servers is a 24-hour cache. Thus, not finding a domain resolution in the last 24 hours does not necessarily mean that the domain has not been resolved (and is therefore a malleable profile), since it could be in the cache.
4	`Social media APIs` selector	If used, the domains that correspond to social media APIs are filtered The `Double-check ignored domains with malleable profile detection` is displayed only when `Social media APIs is displayed.
5	`Internal destination IP addresses` selector	If used, only alerts with a public IP destination are displayed in the `destination.ip`.
6	`Ignore commonly accessed domains` selector	If used, filters frequently accessed/popular domains within the company. The popularity of a domain is determined by the number of unique customers in the company who have accessed that domain. This number is defined in the parameter `unique clients to consider a domain as common`. By default, the time range [now; -3 days] determines the popularity of a domain. However, there is the following risk. Taking into account the last 24 hours, a C2 that has implants on several machines that can be activated simultaneously, making the C2 domain a popular domain. Hence the presence of the option `Do not ignore new domains for the last 24h (better detection in case of multiple and simultaneous activation of beacons)`
7	`unique clients to consider a domain as common`	Defines the number of different clients that have accessed this domain.
8	`Do not ignore new domains for the last 24h (better detection in case of multiple and simultaneous activation of beacons)`	This option allows to not ignore (i.e., allow the analysis of new domains) new domains from the last 24 hours. In conclusion, after analysis on the 24h, the new analyzed and therefore healthy domains can then be ignored because being part of `Ignore commonly accessed domains`

5.7.2.17.4.2. Presets choices and the associated parameters

Definition of preset levels
Parameter	`Low`	`Standard`	`High`	`Very high`
`Most visited worldwide sites`	Active with malleable profile detection option is inactive	Active with malleable profile detection option is inactive	Active with malleable profile detection option is active	Active with malleable profile detection option is active
`Most visited worldwide sites`	Active with malleable profile detection option is inactive	Active with malleable profile detection option is inactive	Active with malleable profile detection option is active	Inactive
`Social media APIs`	Active but (option malleable profile detection option is inactive)	Inactive	Inactive	Inactive
`Internal destination IP addresses`	Active	Active	Active	Inactive
`Ignore commonly accessed domains`	Active with Max. 2 unique clients to consider as common. Domains from last 24h are also ignored	Active with Max. 5 unique clients to consider as common. Domains from last 24h are also ignored	Active with Max. 5 unique clients to consider as common. Domains from last 24h will not be ignored	Inactive

Note

The `Low` setting increases the number of domain names ignored so there will be fewer alerts and less false positives.
At the moment, the `Very high` setting generates more alerts and therefore more false positives.

5.7.2.17.5. `Ignore list` area of the `Beacon detect` screen

The `Ignore list` area enables to filter the domains and IP addresses considered healthy.

It can be completed manually:

The first days of engine activation to correct some possible false positives
Following the activation of an option to increase engine sensitivity
After an investigation leading to the identification of a false positive

After clicking on the `Ignore list` button, the following window is displayed.

../../../../_images/GCE103_BEACON_02.PNG

Item	Name	Function
1	`Ignore list` area	The `Ignore list` area enables to filter the domains and IP addresses considered healthy.
	`Ignore list is a set of exceptions, based on target IP or domains.` `Beacon detect discards alerts that match these exceptions.` `This can be used to discard false positive detections that occur regularly, for instance because a legitimate software is implemented with a beacon-like mechanism where clients poll servers periodically..`	Short information about this screen. The Learn more link opens the embedded documentation on the corresponding page.
2	`Most frequent domains detected` zone	Zone displaying the most frequent domains detected For each domain, the following information is displayed:
3	`Destination`	Domain URL or IP address
4	`Count`	Indicates the number of occurrences of the domain name
5	`Actions`	Possible actions for this destination
6	`Manually add a destination` button	Opens the window to add manually a new destination
7	`Ignored destinations` area	This area list the exception list of domain defined by its URL For each domain, the following information is displayed:
8	`Destination`	Domain URL or IP address
9	`By`	Indicates the account which has created the destination
10	`Since`	Indicates the date and time of destination creation
11	`Delete` icon	Deletes the domain deletion