Monitor > Botnet
The botnet report enables you to use behavior-based mechanisms to identify potential malware- and botnet-infected hosts in your network. The report assigns each host a confidence score of 1 to 5 to indicate the likelihood of botnet infection, where 5 indicates the highest likelihood. Before scheduling the report or running it on demand, you must configure it to identify types of traffic as suspicious. The PAN-OS Administrator’s Guide provides details on interpreting botnet report output .
Managing Botnet Reports
Before generating the botnet report, you must specify the types of traffic that indicate potential botnet activity (see Configuring the Botnet Report). To schedule a daily report or run it on demand, click Report Setting and complete the following fields. To export a report, select it and Export to PDF, Export to CSV, or Export to XML.
Botnet Report Setting Description
Test Run Time Frame Select the time interval for the report— Last 24 Hours (default) or Last Calendar Day.
Run Now Click Run Now to manually and immediately generate a report. The report displays in a new tab within the Botnet Report dialog.
No. of Rows Specify the number of rows to display in the report (default is 100).
Scheduled Select this option to automatically generate the report daily. By default, this option is enabled.
Query Builder (Optional) Add queries to the Query Builder to filter the report output by attributes such as source/destination IP addresses, users, or zones. For example, if you know that traffic initiated from the IP address 192.0.2.0 contains no potential botnet activity, you can add not (addr.src in 192.0.2.0) as a query to exclude that host from the report output. Connector —Select a logical connector ( and or or). If you select Negate, the report will exclude the hosts that the query specifies. Attribute —Select a zone, address, or user that is associated with the hosts that the firewall evaluates for botnet activity. Operator —Select an operator to relate the Attribute to a Value. Value —Enter a value for the query to match.
Configuring the Botnet Report
To specify the types of traffic that indicate potential botnet activity, click Configuration on the right side of the Botnet page and complete the following fields. After configuring the report, you can run it on demand or schedule it to run daily (see Monitor > PDF Reports > Manage PDF Summary).
Botnet Configuration Setting Description
HTTP Traffic Enable and define the Count for each type of HTTP Traffic that the report will include. The Count values you enter are the minimum number of events of each traffic type that must occur for the report to list the associated host with a higher confidence score (higher likelihood of botnet infection). If the number of events is less than the Count, the report will display the lower confidence score or (for certain traffic types) won’t display an entry for the host. Malware URL visit (range is 2–1000; default is 5)—Identifies users communicating with known malware URLs based on malware and botnet URL filtering categories. Use of dynamic DNS (range is 2–1000; default is 5)—Looks for dynamic DNS query traffic that might indicate malware, botnet communications, or exploit kits. Generally, using dynamic DNS domains is very risky. Malware often uses dynamic DNS to avoid IP blacklisting. Consider using URL filtering to block such traffic. Browsing to IP domains (range is 2–1000; default is 10)—Identifies users who browse to IP domains instead of URLs. Browsing to recently registered domains (range is 2–1000; default is 5)—Looks for traffic to domains that were registered within the past 30 days. Attackers, malware, and exploit kits often use newly registered domains. Executable files from unknown sites (range is 2–1000; default is 5)—Identifies executable files downloaded from unknown URLs. Executable files are a part of many infections and, when combined with other types of suspicious traffic, can help you prioritize host investigations.
Unknown Applications Define the thresholds that determine whether the report will include traffic associated with suspicious Unknown TCP or Unknown UDP applications. Sessions Per Hour (range is 1–3600; default is 10)—The report includes traffic that involves up to the specified number of application sessions per hour. Destinations Per Hour (range is 1–3600; default is 10)—The report includes traffic that involves up to the specified number of application destinations per hour. Minimum Bytes (range is 1–200; default is 50)—The report includes traffic for which the application payload equals or exceeds the specified size. Maximum Bytes (range is 1–200; default is 100)—The report includes traffic for which the application payload is equal to or less than the specified size.
IRC Select this option to include traffic involving IRC servers.

Related Documentation