KQL Search

Query Details

12 CSL New First Seen External IP

Query

id: f2a3b4c5-d6e7-4f8a-9b0c-1d2e3f4a5b6c
name: "Firewall New First-Seen External IP Contacted"
version: 1.0.0
kind: Scheduled
description: |
  Identifies external IPs that received more than 5 allowed firewall connections in the
  last 24 hours but were not observed at all during the prior 7-day baseline period.
  Newly appearing external IPs with significant connection volume may indicate freshly
  registered attacker infrastructure, a newly activated C2 domain, or an exfiltration
  channel set up after initial compromise.
  MITRE ATT&CK: T1071 (Application Layer Protocol)
severity: Medium
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 6h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1071
query: |
  let HistoricalIPs =
      CommonSecurityLog
      | where TimeGenerated between (ago(7d) .. ago(1d))
      | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
      | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
      | where ipv4_is_private(DestinationIP) == false
      | summarize by DestinationIP;
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
  | where ipv4_is_private(DestinationIP) == false
  | where isnotempty(DestinationIP)
  | summarize
      ConnectionCount  = count(),
      SourceIPs        = make_set(SourceIP, 20),
      BytesSent        = sum(SentBytes),
      Ports            = make_set(DestinationPort, 10),
      Protocols        = make_set(Protocol, 5),
      DeviceVendors    = make_set(DeviceVendor),
      FirstSeen        = min(TimeGenerated)
    by DestinationIP
  | where ConnectionCount > 5
  | join kind=leftanti HistoricalIPs on DestinationIP
  | order by ConnectionCount desc
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: DestinationIP
customDetails:
  ConnectionCount: ConnectionCount
alertDetailsOverride:
  alertDisplayNameFormat: "First-Seen External IP - {{DestinationIP}} ({{ConnectionCount}} connections)"
  alertDescriptionFormat: "External IP {{DestinationIP}} received {{ConnectionCount}} allowed firewall connections in the last 24 hours but was not seen in the prior 7-day baseline. Possible new attacker infrastructure."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT12H
    matchingMethod: Selected
    groupByEntities:
      - IP
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to identify external IP addresses that have suddenly started receiving a significant number of allowed firewall connections (more than 5) in the last 24 hours, but were not seen at all in the previous 7 days. This could indicate potential malicious activity, such as new attacker infrastructure or a newly activated command and control (C2) domain.

Here's a breakdown of what the query does:

  1. Historical Data Collection: It first gathers a list of external IPs that were contacted in the past 7 days (excluding the last day) but only considers those connections that were allowed (not denied, blocked, or dropped).

  2. Current Data Analysis: It then looks at the last 24 hours of data to find external IPs that have received more than 5 allowed connections. It excludes private IPs and only considers connections from specific vendors (Fortinet, Palo Alto Networks, Zscaler).

  3. Comparison: The query compares the current list of IPs with the historical list to find IPs that are new (i.e., not seen in the previous 7 days).

  4. Output: The results are sorted by the number of connections, and for each IP, it provides details such as the number of connections, source IPs, bytes sent, ports, protocols, and vendors involved.

  5. Alerting: If any such IPs are found, an alert is generated with details about the IP and the number of connections. This alert is intended to notify security teams of potential new threats.

  6. Incident Management: The query is set up to create incidents for these alerts, with configurations to group incidents by IP address and to avoid reopening closed incidents.

Overall, this query helps in detecting potentially suspicious external IPs that have suddenly become active, which could be indicative of malicious activities.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

FirewallConnectionsIPDeviceVendorProtocolBytesSentSourceIPDestinationIPDestinationPortTimeGenerated

Operators

letbetweenagoin!inipv4_is_privatesummarizeby>isnotemptycountmake_setsumminjoinkind=leftantionorder bydesc

Actions