Query Details

Firewall Allowed Traffic to High-Risk Country

05 CSL High Risk Country Traffic

Query

let HighRiskCountries = dynamic([
    "China", "Russia", "North Korea", "Iran", "Syria",
    "Cuba", "Belarus", "Venezuela", "Afghanistan", "Libya"]);
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| extend DestCountry = tostring(geo_info_from_ip_address(DestinationIP).country)
| where DestCountry in (HighRiskCountries)
| summarize
    ConnectionCount  = count(),
    BytesSent        = sum(SentBytes),
    InternalIPs      = make_set(SourceIP, 20),
    ExternalIPs      = make_set(DestinationIP, 20),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated),
    RepresentativeIP = any(SourceIP)
  by DestCountry, DeviceVendor
| order by ConnectionCount desc

Explanation

This query is designed to detect and alert on allowed firewall traffic to or from countries that are often linked with nation-state threat actors and advanced persistent threat (APT) groups. The query focuses on traffic involving specific countries (China, Russia, North Korea, Iran, Syria, Cuba, Belarus, Venezuela, Afghanistan, and Libya) and is executed every hour, analyzing data from the past day.

Here's a simplified breakdown of what the query does:

  1. Data Source: It uses logs from common security events, specifically from devices by vendors like Fortinet, Palo Alto Networks, and Zscaler.

  2. Traffic Filtering: It filters out traffic that has been explicitly denied or blocked, focusing only on allowed connections.

  3. Country Identification: It identifies the destination country of the traffic using the destination IP address.

  4. High-Risk Countries: It checks if the destination country is one of the high-risk countries mentioned.

  5. Data Aggregation: For each high-risk country and device vendor, it counts the number of connections, sums up the bytes sent, and collects sets of internal and external IPs involved. It also records the first and last time the traffic was seen and selects a representative source IP.

  6. Alert Generation: If any connections to these high-risk countries are detected, an alert is generated. The alert includes the number of connections and the destination country, suggesting a review for potential command and control (C2) channels or data exfiltration.

  7. Incident Management: The query is set to create incidents based on these alerts, with configurations to group related alerts and prevent reopening of closed incidents within a 12-hour lookback period.

Overall, this query helps in monitoring and identifying potentially suspicious network traffic that could indicate unauthorized access or data exfiltration activities.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

FirewallTrafficCountriesThreatActorsConnectionsSecurityDevices

Operators

letdynamicagoin!inisnotemptyipv4_is_privateextendtostringgeo_info_from_ip_addresssummarizecountsummake_setminmaxanybyorder bydesc

Severity

Medium

Tactics

InitialAccessExfiltration

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub