KQL Search

Query Details

01 CSL Beaconing Detection

Query

id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
name: "Firewall Beaconing Detection - Regular Outbound Connections"
version: 1.0.0
kind: Scheduled
description: |
  Detects internal hosts making very regular, high-frequency connections to the same external IP
  across multiple hours — the hallmark of C2 beaconing. Queries Fortinet, Palo Alto, and Zscaler
  CEF logs for allowed sessions with >20 connections, spanning ≥3 hourly buckets, with a
  beacon score (connections/hour) above 5.
  MITRE ATT&CK: T1071 (Application Layer Protocol), T1571 (Non-Standard Port)
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
  - T1571
query: |
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
  | where isnotempty(DestinationIP)
  | where ipv4_is_private(DestinationIP) == false
  | where isnotempty(SourceIP)
  | summarize
      ConnectionCount  = count(),
      BytesSent        = sum(SentBytes),
      BytesReceived    = sum(ReceivedBytes),
      HourlyBuckets    = dcount(bin(TimeGenerated, 1h)),
      Ports            = make_set(DestinationPort, 10),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by SourceIP, DestinationIP, DeviceVendor
  | where ConnectionCount > 20 and HourlyBuckets >= 3
  | extend BeaconScore = round(toreal(ConnectionCount) / toreal(HourlyBuckets), 1)
  | where BeaconScore > 5
  | order by BeaconScore desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIP
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: DestinationIP
customDetails:
  BeaconScore: BeaconScore
  ConnectionCount: ConnectionCount
  HourlyBuckets: HourlyBuckets
alertDetailsOverride:
  alertDisplayNameFormat: "Beaconing Detected - {{SourceIP}} → {{DestinationIP}}"
  alertDescriptionFormat: "Internal host {{SourceIP}} made {{ConnectionCount}} connections to external IP {{DestinationIP}} with a regular interval pattern (beacon score: {{BeaconScore}})."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect suspicious network activity that might indicate command-and-control (C2) beaconing, a common tactic used by attackers to maintain communication with compromised systems. Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes security logs from Fortinet, Palo Alto Networks, and Zscaler devices.

  2. Time Frame: The query looks at logs from the past day (24 hours).

  3. Filter Criteria:

    • It excludes logs where the action was to deny, block, or drop the connection.
    • It focuses on connections to external IP addresses (i.e., not private/internal IPs).

  4. Aggregation:

    • It counts the number of connections from each internal IP (SourceIP) to each external IP (DestinationIP).
    • It calculates the total bytes sent and received.
    • It determines how many different hourly periods (buckets) the connections span.
    • It collects the destination ports used and notes the first and last time the connection was seen.

  5. Detection Logic:

    • It identifies cases where there are more than 20 connections spanning at least 3 different hourly periods.
    • It calculates a "Beacon Score" (connections per hour) and flags cases where this score is greater than 5.

  6. Output:

    • The results are ordered by the Beacon Score, highlighting the most suspicious activities.
    • Alerts are generated with details about the source and destination IPs, connection count, and beacon score.

  7. Alerting:

    • If any suspicious activity is detected, an alert is created with a descriptive name and details.
    • The system can group related alerts into incidents based on IP addresses.

Overall, this query helps security teams identify potential C2 beaconing by looking for patterns of regular, high-frequency outbound connections from internal hosts to external IPs.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceActionDestinationIPSourceIPSentBytesReceivedBytesDestinationPortTimeGeneratedConnectionCountBytesSentBytesReceivedHourlyBucketsPortsFirstSeenLastSeenBeaconScoreAddress

Operators

ago()in()!in()isnotempty()ipv4_is_private()summarizecount()sum()dcount()bin()make_set()min()max()extendround()toreal()order by

Actions