Firewall Allowed Traffic to High-Risk Country
05 CSL High Risk Country Traffic
Query
let HighRiskCountries = dynamic([
"China", "Russia", "North Korea", "Iran", "Syria",
"Cuba", "Belarus", "Venezuela", "Afghanistan", "Libya"]);
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| extend DestCountry = tostring(geo_info_from_ip_address(DestinationIP).country)
| where DestCountry in (HighRiskCountries)
| summarize
ConnectionCount = count(),
BytesSent = sum(SentBytes),
InternalIPs = make_set(SourceIP, 20),
ExternalIPs = make_set(DestinationIP, 20),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
RepresentativeIP = any(SourceIP)
by DestCountry, DeviceVendor
| order by ConnectionCount descExplanation
This query is designed to detect and alert on allowed firewall traffic to or from countries that are often linked with nation-state threat actors and advanced persistent threat (APT) groups. The query focuses on traffic involving specific countries (China, Russia, North Korea, Iran, Syria, Cuba, Belarus, Venezuela, Afghanistan, and Libya) and is executed every hour, analyzing data from the past day.
Here's a simplified breakdown of what the query does:
-
Data Source: It uses logs from common security events, specifically from devices by vendors like Fortinet, Palo Alto Networks, and Zscaler.
-
Traffic Filtering: It filters out traffic that has been explicitly denied or blocked, focusing only on allowed connections.
-
Country Identification: It identifies the destination country of the traffic using the destination IP address.
-
High-Risk Countries: It checks if the destination country is one of the high-risk countries mentioned.
-
Data Aggregation: For each high-risk country and device vendor, it counts the number of connections, sums up the bytes sent, and collects sets of internal and external IPs involved. It also records the first and last time the traffic was seen and selects a representative source IP.
-
Alert Generation: If any connections to these high-risk countries are detected, an alert is generated. The alert includes the number of connections and the destination country, suggesting a review for potential command and control (C2) channels or data exfiltration.
-
Incident Management: The query is set to create incidents based on these alerts, with configurations to group related alerts and prevent reopening of closed incidents within a 12-hour lookback period.
Overall, this query helps in monitoring and identifying potentially suspicious network traffic that could indicate unauthorized access or data exfiltration activities.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1d