Firewall New First-Seen External IP Contacted
12 CSL New First Seen External IP
Query
let HistoricalIPs =
CommonSecurityLog
| where TimeGenerated between (ago(7d) .. ago(1d))
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
| where ipv4_is_private(DestinationIP) == false
| summarize by DestinationIP;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
| where ipv4_is_private(DestinationIP) == false
| where isnotempty(DestinationIP)
| summarize
ConnectionCount = count(),
SourceIPs = make_set(SourceIP, 20),
BytesSent = sum(SentBytes),
Ports = make_set(DestinationPort, 10),
Protocols = make_set(Protocol, 5),
DeviceVendors = make_set(DeviceVendor),
FirstSeen = min(TimeGenerated)
by DestinationIP
| where ConnectionCount > 5
| join kind=leftanti HistoricalIPs on DestinationIP
| order by ConnectionCount descExplanation
This query is designed to identify external IP addresses that have suddenly started receiving a significant number of allowed firewall connections (more than 5) in the last 24 hours, but were not seen at all in the previous 7 days. This could indicate potential malicious activity, such as new attacker infrastructure or a newly activated command and control (C2) domain.
Here's a breakdown of what the query does:
-
Historical Data Collection: It first gathers a list of external IPs that were contacted in the past 7 days (excluding the last day) but only considers those connections that were allowed (not denied, blocked, or dropped).
-
Current Data Analysis: It then looks at the last 24 hours of data to find external IPs that have received more than 5 allowed connections. It excludes private IPs and only considers connections from specific vendors (Fortinet, Palo Alto Networks, Zscaler).
-
Comparison: The query compares the current list of IPs with the historical list to find IPs that are new (i.e., not seen in the previous 7 days).
-
Output: The results are sorted by the number of connections, and for each IP, it provides details such as the number of connections, source IPs, bytes sent, ports, protocols, and vendors involved.
-
Alerting: If any such IPs are found, an alert is generated with details about the IP and the number of connections. This alert is intended to notify security teams of potential new threats.
-
Incident Management: The query is set up to create incidents for these alerts, with configurations to group incidents by IP address and to avoid reopening closed incidents.
Overall, this query helps in detecting potentially suspicious external IPs that have suddenly become active, which could be indicative of malicious activities.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 6h
Period: 7d