Thanks Milos,

Yes you are right its a CnC. Can you guide me how do i check whether SI has been enabled? 

I believe its been enabled thats y i see blocked ip under Analysis> connection> SI events.

However when i filter it with the concerned ip add or URL i do not see any logs.

Could you pls guide me.. am i missing something ?

Some form of Security Intelligence is always enabled as it includes Global Blacklist and Whitelist categories. What's optional is whether you have included additional categories (such as CnC as well as numerous others like Botnets, Cryptomining, Banking Fraud, etc.). Look under your associated Access Control Policy under the Security Intelligence tab.

As far as seeing the event, are you searching under Security Intelligence events? It may never show up as Connection Event if it was blocked by SI prior to even making a connection.

Thank Marvin...

Yes i see the SI is enabled along with default global black & whitelists, we apply additional malicious ip's and url's as we receive threat intelligence reports everyday from our ISP.

As you correctly said, am searching these so-called malicious C2 communication under SI events, however i do not find any logs here. Just FYI.. i saw the logging under the ACL was enabled for "log when connection ends", which i updated to "log when connection begins"

one such example:

6/27/21    src            dest                  dest-port       category        dest-loc     trnport         sign             url

8:36         x.x.x.x     136.243.10.27        80                malware        Ger             tcp            C2C    track.regaming.com

In general, you would rarelly want to use "log on begining" option for connections taht you are not blocking. Reason for that is that "log at the end" contains much more information about same connection.

Still, SI logging is not tied to these logs, but you have specific logging for each category - DNS, Network and URL. You can find more details about SI  here.

I would assume if you don't see these in logs, then, most likely, your logging is not configured properly. It is expected to see blocked SI events in SI Connection Events, if you configured logging.

BR,

Milos

Thanks Milos

I will go through the document.

Just to reiterate, i can see SI logs for those ip addresses which i had added as blacklisted ip's. However for ip's in concern above is what not displayed when filtered.

Anyways thanks alot. I will get back to you post referring the document.

Gone through the document..

i can see the SI objects are being enabled to Log. Pls see the attached for both ip add and urls

ACL logging is also enabled for end of connection.

Your logging looks fine.

Have you enabled all categories that SI has (Attackers, Bots, Malware, etc.)? Have you enabled it for both Network and URL? An example is attached. Also, have you checked Lists and Feeds for SI (they can be found under Objects), and made sure they are getting updated?

If yes, then it could be that Cisco SI list and your ISP's are not same.

BR,

Milos

Yes you can see the attached. both network and url objects are applied.

Under feeds and lists we have a custom blacklists for ip add and urls.

If you can observe, the categories are showing red-cross marks in my attachment, contrary to yours.

Hi Milos, Marvin

At last am able to see the logs under SI and Events.

The Database in FMC for connection events and SI event logs was set 1 million logs. I updated it to 10million.

Now am able to view the logs:)

Thanks for your insights