KQL Search

Query Details

HomeAI ToolsDevice Query

Extracting Bits Of TCP Flags

Query

**Extracting bits of TCP Flags**

This KQL Query is oriented to extract the different bits of TCP Flags which helps to review the different state of the connections and identify possible threats associated.
```
let binnary_codes = externaldata(Integer: string, binary: string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/binary_list.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceNetworkEvents
| extend tags = parse_json( AdditionalFields)
| extend direction =  tags["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(Geo_IP)
| extend TCPFlags =  tostring(tags["Tcp Flags"])
| join kind=leftouter  ( binnary_codes) on $left.TCPFlags == $right.Integer
| extend  num0 = strcat(substring(binary,  0,1)),num1 = strcat(substring(binary,  1,1)),num2 = strcat(substring(binary,  2,1)),num3 = strcat(substring(binary,  3,1)),num4 = strcat(substring(binary,  4,1)),num5 = strcat(substring(binary,  5,1)),num6 = strcat(substring(binary,  6,1)),num7 = strcat(substring(binary,  7,1))
| summarize make_set(binary),FIN= countif(num7 == 1),SYN= countif(num6 == 1),RST = countif(num5 == 1),PSH = countif(num4 == 1),ACK = countif(num3 == 1),URG = countif(num2 == 1),ECE = countif(num1 == 1),CWR = countif(num0 == 1),  count() by RemoteIP, Geo_IP
```

Explanation

This KQL query is designed to analyze network events by examining the TCP flags in incoming network traffic. Here's a simplified breakdown of what the query does:

  1. Load Binary Codes: It starts by loading a CSV file containing mappings of integer values to their binary representations. This file is hosted on GitHub.

  2. Filter Network Events: It filters network events to only include those with an "In" direction, meaning incoming traffic.

  3. Extract Geo Information: For each event, it extracts the country associated with the remote IP address.

  4. Extract TCP Flags: It retrieves the TCP flags from the event data, which indicate the state of the TCP connection.

  5. Join with Binary Codes: The query joins the network events with the binary codes data to convert the TCP flags from integer to binary format.

  6. Extract Individual Bits: It breaks down the binary representation of the TCP flags into individual bits.

  7. Summarize TCP Flag Counts: It counts how many times each TCP flag (FIN, SYN, RST, PSH, ACK, URG, ECE, CWR) is set (i.e., has a value of 1) for each remote IP and country.

  8. Output: The result is a summary table showing the count of each TCP flag for each remote IP and its associated country, which can help identify unusual patterns or potential threats in the network traffic.

Details

Sergio Albea profile picture

Sergio Albea

Released: February 3, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsGeoIPTCPFlagsRemoteIP

Operators

letexternaldatawithextendparse_jsontostringgeo_info_from_ip_addresswhereisnotemptyjoinonstrcatsubstringsummarizemake_setcountifcountby

Actions