KQL Search

Query Details

19 CSL Protocol Anomaly Non Standard Ports

Query

id: a9b0c1d2-e3f4-4a5b-6c7d-8e9f0a1b2c3d
name: "Protocol Anomaly - HTTP or HTTPS on Non-Standard Ports"
version: 1.0.0
kind: Scheduled
description: |
  Detects allowed firewall or proxy connections using HTTP or HTTPS application protocols on
  ports other than standard ones (80, 8080, 8000, 3128 for HTTP; 443, 8443 for HTTPS).
  Many C2 frameworks (Cobalt Strike, Metasploit, custom RATs) use alternate ports combined
  with HTTP/HTTPS to blend into web traffic while evading port-based firewall rules. This
  pattern is a strong indicator of command-and-control channel establishment.
  MITRE ATT&CK: T1571 (Non-Standard Port)
severity: High
requiredDataConnectors:
  - connectorId: CommonSecurityEvents
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CommandAndControl
relevantTechniques:
  - T1571
query: |
  CommonSecurityLog
  | where TimeGenerated > ago(1d)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
  | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
  | where (ApplicationProtocol in ("HTTP", "http") and DestinationPort !in (80, 8080, 8000, 3128))
      or (ApplicationProtocol in ("HTTPS", "https", "SSL", "ssl") and DestinationPort !in (443, 8443))
      or (Protocol in ("HTTP", "http") and DestinationPort !in (80, 8080, 8000, 3128))
      or (Protocol in ("HTTPS", "https") and DestinationPort !in (443, 8443))
  | summarize
      ConnectionCount  = count(),
      SourceIPs        = make_set(SourceIP, 20),
      DestIPs          = make_set(DestinationIP, 20),
      BytesSent        = sum(SentBytes),
      URLSamples       = make_set(RequestURL, 10),
      DeviceVendors    = make_set(DeviceVendor),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by DestinationPort, ApplicationProtocol, Protocol
  | order by ConnectionCount desc
entityMappings: []
customDetails:
  ConnectionCount: ConnectionCount
  DestinationPort: DestinationPort
  ApplicationProtocol: ApplicationProtocol
alertDetailsOverride:
  alertDisplayNameFormat: "Non-Standard Protocol Port - {{ApplicationProtocol}} on port {{DestinationPort}}"
  alertDescriptionFormat: "{{ConnectionCount}} allowed connections using {{ApplicationProtocol}} on non-standard port {{DestinationPort}}. Possible C2 channel disguised as web traffic."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
      - DestinationPort

Explanation

This query is designed to detect unusual network activity where HTTP or HTTPS protocols are being used on non-standard ports, which can be a sign of malicious activity such as command-and-control (C2) communications. Here's a simple breakdown:

  • Purpose: The query identifies instances where HTTP or HTTPS traffic is allowed through a firewall or proxy on ports that are not typically used for these protocols. Standard ports for HTTP are 80, 8080, 8000, and 3128, and for HTTPS are 443 and 8443. Traffic on other ports might indicate an attempt to disguise malicious activity as normal web traffic.

  • Data Source: It uses data from security logs provided by devices from vendors like Fortinet, Palo Alto Networks, and Zscaler.

  • Detection Logic: The query looks for connections that are not blocked or denied and checks if HTTP or HTTPS protocols are used on non-standard ports.

  • Output: It summarizes the findings by counting the connections, listing the source and destination IPs, the amount of data sent, and samples of URLs accessed. It also records the first and last time the activity was seen.

  • Alerting: If any such activity is detected, an alert is generated with details about the protocol and port used, and the number of connections. This alert is considered high severity due to its potential to indicate a C2 channel.

  • Incident Management: If an alert is triggered, an incident is created to ensure the activity is investigated. The system can group similar alerts to manage them more effectively.

Overall, this query helps security teams identify potential threats that try to evade detection by using non-standard ports for web traffic.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

ProtocolAnomalyHTTPHTTPSPortsFirewallProxyConnectionsCobaltStrikeMetasploitRATsWebTrafficMITREATT&CKCommonSecurityEventsCommonSecurityLogTimeGeneratedDeviceVendorDeviceActionApplicationProtocolDestinationPortProtocolConnectionCountSourceIPsDestIPsBytesSentURLSamplesDeviceVendorsTimeGenerated

Operators

agoin!inorsummarizecountmake_setsumminmaxbyorder bydesc

Actions