KQL Search

Query Details

05 CSL High Risk Country Traffic

Query

id: e5f6a7b8-c9d0-4e1f-2a3b-4c5d6e7f8a9b
name: "Firewall Allowed Traffic to High-Risk Country"
version: 1.0.0
kind: Scheduled
description: |
  Detects allowed inbound or outbound firewall traffic to/from countries frequently associated
  with nation-state threat actors and APT groups (CN, RU, KP, IR, SY, CU, BY, VE, AF, LY).
  High-volume or repeated connections to these geographies may indicate C2 channels, data
  exfiltration, or unauthorized access from threat actor infrastructure.
  MITRE ATT&CK: T1078 (Valid Accounts)
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - Exfiltration
relevantTechniques:
  - T1078
query: |
  let HighRiskCountries = dynamic([
      "China", "Russia", "North Korea", "Iran", "Syria",
      "Cuba", "Belarus", "Venezuela", "Afghanistan", "Libya"]);
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
  | where isnotempty(DestinationIP)
  | where ipv4_is_private(DestinationIP) == false
  | extend DestCountry = tostring(geo_info_from_ip_address(DestinationIP).country)
  | where DestCountry in (HighRiskCountries)
  | summarize
      ConnectionCount  = count(),
      BytesSent        = sum(SentBytes),
      InternalIPs      = make_set(SourceIP, 20),
      ExternalIPs      = make_set(DestinationIP, 20),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated),
      RepresentativeIP = any(SourceIP)
    by DestCountry, DeviceVendor
  | order by ConnectionCount desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: RepresentativeIP
customDetails:
  ConnectionCount: ConnectionCount
  DestCountry: DestCountry
alertDetailsOverride:
  alertDisplayNameFormat: "High-Risk Country Traffic Allowed - {{DestCountry}} ({{ConnectionCount}} connections)"
  alertDescriptionFormat: "{{ConnectionCount}} allowed firewall connections to {{DestCountry}} detected. Review for C2 or data exfiltration."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - DestCountry

Explanation

This query is designed to detect and alert on allowed firewall traffic to or from countries that are often linked with nation-state threat actors and advanced persistent threat (APT) groups. The query focuses on traffic involving specific countries (China, Russia, North Korea, Iran, Syria, Cuba, Belarus, Venezuela, Afghanistan, and Libya) and is executed every hour, analyzing data from the past day.

Here's a simplified breakdown of what the query does:

  1. Data Source: It uses logs from common security events, specifically from devices by vendors like Fortinet, Palo Alto Networks, and Zscaler.

  2. Traffic Filtering: It filters out traffic that has been explicitly denied or blocked, focusing only on allowed connections.

  3. Country Identification: It identifies the destination country of the traffic using the destination IP address.

  4. High-Risk Countries: It checks if the destination country is one of the high-risk countries mentioned.

  5. Data Aggregation: For each high-risk country and device vendor, it counts the number of connections, sums up the bytes sent, and collects sets of internal and external IPs involved. It also records the first and last time the traffic was seen and selects a representative source IP.

  6. Alert Generation: If any connections to these high-risk countries are detected, an alert is generated. The alert includes the number of connections and the destination country, suggesting a review for potential command and control (C2) channels or data exfiltration.

  7. Incident Management: The query is set to create incidents based on these alerts, with configurations to group related alerts and prevent reopening of closed incidents within a 12-hour lookback period.

Overall, this query helps in monitoring and identifying potentially suspicious network traffic that could indicate unauthorized access or data exfiltration activities.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

FirewallTrafficCountriesThreatActorsConnectionsSecurityDevices

Operators

letdynamicagoin!inisnotemptyipv4_is_privateextendtostringgeo_info_from_ip_addresssummarizecountsummake_setminmaxanybyorder bydesc

Actions