Query Details
20 CSL Risky Identity Firewall Traffic
Query
id: b0c1d2e3-f4a5-4b6c-7d8e-9f0a1b2c3d4e
name: "Correlation: Firewall Traffic from High-Risk Identity (IdentityInfo)"
version: 1.0.0
kind: Scheduled
description: |
Correlates Fortinet, Palo Alto, and Zscaler firewall/proxy allowed traffic with the
IdentityInfo table (UEBA) to identify accounts flagged with elevated investigation priority
that are actively generating significant traffic volume. A high-risk or compromised identity
generating large firewall sessions amplifies the exfiltration or lateral movement risk and
should be prioritized for investigation.
Requires: Microsoft Sentinel UEBA (IdentityInfo populated by BehaviorAnalytics).
MITRE ATT&CK: T1078 (Valid Accounts)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1078
query: |
let RiskyIdentities =
IdentityInfo
| where TimeGenerated > ago(14d)
| where isnotempty(AccountUPN)
| summarize
RiskScore = max(InvestigationPriority),
JobTitle = any(JobTitle),
Department = any(Department),
ManagerUPN = any(ManagerUPN),
AccountEnabled = any(AccountEnabled)
by AccountUPN;
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP")
| where isnotempty(SourceUserName)
| summarize
FW_RequestCount = count(),
FW_BytesSent = sum(SentBytes),
FW_BytesRecv = sum(ReceivedBytes),
FW_DestIPs = dcount(DestinationIP),
FW_Vendors = make_set(DeviceVendor),
FW_SrcIPs = make_set(SourceIP, 5),
FW_FirstSeen = min(TimeGenerated)
by UserName = tolower(SourceUserName)
| join kind=inner RiskyIdentities on $left.UserName == $right.AccountUPN
| extend TotalMBSent = round(toreal(FW_BytesSent) / 1048576, 2)
| project
UserName,
JobTitle,
Department,
RiskScore,
FW_RequestCount,
TotalMBSent,
FW_DestIPs,
FW_Vendors,
FW_SrcIPs
| order by RiskScore desc, TotalMBSent desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserName
customDetails:
RiskScore: RiskScore
TotalMBSent: TotalMBSent
FW_RequestCount: FW_RequestCount
alertDetailsOverride:
alertDisplayNameFormat: "Risky Identity Firewall Activity - {{UserName}} (risk: {{RiskScore}})"
alertDescriptionFormat: "High-risk user {{UserName}} (investigation priority: {{RiskScore}}) generated {{TotalMBSent}} MB through the firewall. Identity risk combined with high traffic volume is a critical exfiltration or abuse indicator."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT12H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is part of a scheduled task designed to identify high-risk user accounts that are generating significant traffic through firewalls. Here's a simplified breakdown of what it does:
-
Purpose: The query aims to correlate firewall/proxy traffic data with user identity information to detect accounts with a high investigation priority that are generating large volumes of traffic. This is important because such activity could indicate potential data exfiltration or lateral movement within a network.
-
Data Sources: It uses data from Fortinet, Palo Alto, and Zscaler firewalls, as well as user behavior analytics data from Microsoft Sentinel's UEBA (User and Entity Behavior Analytics).
-
Process:
- It first identifies risky identities from the
IdentityInfotable, focusing on accounts with a high investigation priority over the past 14 days. - It then examines firewall logs from the past day, filtering for traffic that was allowed (not denied, blocked, or dropped).
- The query aggregates data on the number of requests, bytes sent and received, distinct destination IPs, and source IPs for each user.
- It joins this firewall data with the risky identities to find matches.
- It first identifies risky identities from the
-
Output:
- The results include details such as the username, job title, department, risk score, number of requests, total megabytes sent, distinct destination IPs, and firewall vendors involved.
- The output is sorted by risk score and total megabytes sent to prioritize the most critical cases.
-
Alerts and Incidents:
- If a high-risk user is found to have generated significant traffic, an alert is created with details about the user's activity.
- The alert includes a custom message highlighting the risk and traffic volume, and incidents are created for further investigation.
-
Configuration:
- The query is set to run every hour and looks back over the past day for relevant data.
- It uses specific tactics and techniques from the MITRE ATT&CK framework to categorize the activity.
Overall, this query helps security teams quickly identify and prioritize investigations into potentially compromised accounts that are generating suspiciously high levels of network traffic.
Details
David Alonso
Released: March 2, 2026
Tables
IdentityInfoCommonSecurityLog
Keywords
FirewallTrafficIdentityInfoAccountsInvestigationPriorityMicrosoftSentinelUEBABehaviorAnalyticsCommonSecurityEventsCommonSecurityLogFortinetPaloAltoNetworksZscalerSourceUserNameDestinationIPDeviceVendorSourceIPUserNameJobTitleDepartmentManagerUPNAccountEnabledRiskScoreTotalMBSent
Operators
letwhereisnotemptysummarizeagomaxanybyin!incountsumdcountmake_settolowerjoinkindonextendroundtoreal/projectorder bydesc