Firewall Beaconing Detection - Regular Outbound Connections
01 CSL Beaconing Detection
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| where isnotempty(SourceIP)
| summarize
ConnectionCount = count(),
BytesSent = sum(SentBytes),
BytesReceived = sum(ReceivedBytes),
HourlyBuckets = dcount(bin(TimeGenerated, 1h)),
Ports = make_set(DestinationPort, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DestinationIP, DeviceVendor
| where ConnectionCount > 20 and HourlyBuckets >= 3
| extend BeaconScore = round(toreal(ConnectionCount) / toreal(HourlyBuckets), 1)
| where BeaconScore > 5
| order by BeaconScore descExplanation
This query is designed to detect suspicious network activity that might indicate command-and-control (C2) beaconing, a common tactic used by attackers to maintain communication with compromised systems. Here's a simple breakdown of what the query does:
-
Data Source: It analyzes security logs from Fortinet, Palo Alto Networks, and Zscaler devices.
-
Time Frame: The query looks at logs from the past day (24 hours).
-
Filter Criteria:
- It excludes logs where the action was to deny, block, or drop the connection.
- It focuses on connections to external IP addresses (i.e., not private/internal IPs).
-
Aggregation:
- It counts the number of connections from each internal IP (SourceIP) to each external IP (DestinationIP).
- It calculates the total bytes sent and received.
- It determines how many different hourly periods (buckets) the connections span.
- It collects the destination ports used and notes the first and last time the connection was seen.
-
Detection Logic:
- It identifies cases where there are more than 20 connections spanning at least 3 different hourly periods.
- It calculates a "Beacon Score" (connections per hour) and flags cases where this score is greater than 5.
-
Output:
- The results are ordered by the Beacon Score, highlighting the most suspicious activities.
- Alerts are generated with details about the source and destination IPs, connection count, and beacon score.
-
Alerting:
- If any suspicious activity is detected, an alert is created with a descriptive name and details.
- The system can group related alerts into incidents based on IP addresses.
Overall, this query helps security teams identify potential C2 beaconing by looking for patterns of regular, high-frequency outbound connections from internal hosts to external IPs.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d