Query Details

Firewall Beaconing Detection - Regular Outbound Connections

01 CSL Beaconing Detection

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| where isnotempty(SourceIP)
| summarize
    ConnectionCount  = count(),
    BytesSent        = sum(SentBytes),
    BytesReceived    = sum(ReceivedBytes),
    HourlyBuckets    = dcount(bin(TimeGenerated, 1h)),
    Ports            = make_set(DestinationPort, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SourceIP, DestinationIP, DeviceVendor
| where ConnectionCount > 20 and HourlyBuckets >= 3
| extend BeaconScore = round(toreal(ConnectionCount) / toreal(HourlyBuckets), 1)
| where BeaconScore > 5
| order by BeaconScore desc

Explanation

This query is designed to detect suspicious network activity that might indicate command-and-control (C2) beaconing, a common tactic used by attackers to maintain communication with compromised systems. Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes security logs from Fortinet, Palo Alto Networks, and Zscaler devices.

  2. Time Frame: The query looks at logs from the past day (24 hours).

  3. Filter Criteria:

    • It excludes logs where the action was to deny, block, or drop the connection.
    • It focuses on connections to external IP addresses (i.e., not private/internal IPs).
  4. Aggregation:

    • It counts the number of connections from each internal IP (SourceIP) to each external IP (DestinationIP).
    • It calculates the total bytes sent and received.
    • It determines how many different hourly periods (buckets) the connections span.
    • It collects the destination ports used and notes the first and last time the connection was seen.
  5. Detection Logic:

    • It identifies cases where there are more than 20 connections spanning at least 3 different hourly periods.
    • It calculates a "Beacon Score" (connections per hour) and flags cases where this score is greater than 5.
  6. Output:

    • The results are ordered by the Beacon Score, highlighting the most suspicious activities.
    • Alerts are generated with details about the source and destination IPs, connection count, and beacon score.
  7. Alerting:

    • If any suspicious activity is detected, an alert is created with a descriptive name and details.
    • The system can group related alerts into incidents based on IP addresses.

Overall, this query helps security teams identify potential C2 beaconing by looking for patterns of regular, high-frequency outbound connections from internal hosts to external IPs.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorDeviceActionDestinationIPSourceIPSentBytesReceivedBytesDestinationPortTimeGeneratedConnectionCountBytesSentBytesReceivedHourlyBucketsPortsFirstSeenLastSeenBeaconScoreAddress

Operators

ago()in()!in()isnotempty()ipv4_is_private()summarizecount()sum()dcount()bin()make_set()min()max()extendround()toreal()order by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub