KQL Search

Query Details

HomeAI ToolsDevice Query

ASN Generating High Number Of Connection Requests Based On Average

Query

**ASN generating high number of connection requests based on average**

**Description:** Identify An ASN that typically handles an average of X connection requests per day over a consistent 7-day period suddenly triples—or more—the number of requests. (You can adjust this line to define the exact multiplication threshold). In addition, identify if during the last week, a new ASN has triggered more than 1K connection attempt during a day.
```
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string) ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip'] with (ignoreFirstRecord=true));
let daily =
    DeviceNetworkEvents
    | where isnotempty(RemoteIP) and RemoteIPType !has "Private"
    | where Timestamp >= ago(7d)
    | evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)
    | where isnotempty (CIDRASN)
    | extend Day = format_datetime(startofday(Timestamp), 'yyyy-MM-dd')
    | summarize    Success_Connections = countif(ActionType == "ConnectionSuccess"),
                   Attempts_Connections = countif(ActionType == "ConnectionAttempt" or ActionType =="ConnectionFailed"),
                   Inspected_Connections = countif( ActionType endswith "inspected"),
                   Requested_Connections = countif(ActionType == "ConnectionRequest"),
                   make_set(CIDR),make_set(RemoteIP),Connections_x_day = count() by CIDRASN,CIDRASNName, Day;
let summary =
    daily  | summarize TotalConnections = sum(Connections_x_day),Distinct__Days = count(),AvgConnectionsPerDay = avg(Connections_x_day)by CIDRASN;
daily
| join kind=inner (summary) on CIDRASN
| extend Multiply_avg = AvgConnectionsPerDay * 4
| where Multiply_avg < Connections_x_day or (Distinct__Days == 1 and Attempts_Connections > 1000)
| project  CIDRASNName,CIDRASN,set_CIDR,set_RemoteIP, Day,Distinct__Days ,Connections_x_day, AvgConnectionsPerDay, TotalConnections, Success_Connections, Attempts_Connections, Inspected_Connections,Requested_Connections
| order by Attempts_Connections
```

Explanation

This KQL query is designed to identify unusual activity from Autonomous System Numbers (ASNs) based on their connection request patterns. Here's a simplified breakdown:

  1. Data Source: The query uses an external data source that maps IP addresses to ASNs.

  2. Data Filtering: It focuses on network events from the last 7 days, excluding private IP addresses.

  3. Daily Summary: For each ASN, it calculates daily statistics, including successful connections, connection attempts, inspected connections, and connection requests.

  4. Overall Summary: It aggregates these daily statistics to compute the total connections, the number of distinct days with activity, and the average connections per day for each ASN.

  5. Anomaly Detection: The query identifies ASNs with two types of unusual behavior:

    • ASNs that have a daily connection count that is four times higher than their average.
    • New ASNs (active for only one day) that have more than 1,000 connection attempts in a single day.

  6. Output: It lists the ASNs that meet these criteria, along with relevant details like the number of connection attempts and requests, and sorts them by the number of connection attempts.

In essence, the query helps detect ASNs that are either suddenly much more active than usual or are new and generating a high volume of connection attempts, which could indicate potential security threats or network anomalies.

Details

Sergio Albea profile picture

Sergio Albea

Released: May 14, 2025

Tables

DeviceNetworkEvents

Keywords

ASNDeviceNetworkEventsConnectionsIPDayTimestamp

Operators

externaldatawithwhereisnotemptyand!has>=agoevaluateipv4_lookupextendformat_datetimestartofdaysummarizecountifendswithmake_setbyjoinkindon*<orprojectorder by

Actions