KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Suspicious TCP Flags

Query

# Defender for Endpoint - Potential suspicious TCP Flags

## Query Information

### Description

This query tries to detect network traffic with potentially malicious or uncommon TCP Flags

#### References

### Author

- **Alex Verboon**

## Defender XDR

```kql
let FlagReference = datatable(TcpFlagDecimal:string, Comment:string)
[
    6,  "SYN + RST (invalid, often scanning)",
    7,  "FIN + SYN + RST (highly abnormal)",
    19, "FIN + PSH + SYN (malformed scan)",
    27, "FIN + PSH + SYN + URG (malformed, stealth scan)",
    30, "FIN + PSH + RST + SYN (Xmas variant)",
    31, "FIN + PSH + RST + SYN + URG (classic Xmas scan)",
    63, "All flags set including ECE/CWR (invalid combination)"
];
let suspiciousflags = dynamic(["6","7","19","27","30","31","63"]);
DeviceNetworkEvents
| extend info = parse_json( AdditionalFields)
| extend TcpFlags = tostring(parse_json(info)["Tcp Flags"])
| extend direction =  info["direction"]
| where direction has "In"
| extend Geo_IP = tostring(geo_info_from_ip_address(RemoteIP).country)
| extend IsPrivate = ipv4_is_private(RemoteIP)
| project TimeGenerated, DeviceName, LocalIP, LocalPort, RemoteIP, IsPrivate, RemotePort, Geo_IP, TcpFlags, ActionType
//| where IsPrivate == "0"
| where TcpFlags has_any (suspiciousflags)
| lookup kind=leftouter FlagReference on $left.TcpFlags == $right.TcpFlagDecimal

```

Explanation

This query is designed to identify potentially suspicious network traffic by examining TCP flags in network events. Here's a simplified breakdown:

  1. Purpose: The query aims to detect network traffic with unusual or potentially malicious TCP flag combinations, which might indicate scanning or other suspicious activities.

  2. Reference Table: It uses a reference table (FlagReference) that maps specific TCP flag combinations (represented as decimal values) to descriptions of why they are considered suspicious or abnormal.

  3. Suspicious Flags: A list of suspicious TCP flag combinations is defined, including:

    • 6: SYN + RST (often associated with scanning)
    • 7: FIN + SYN + RST (highly abnormal)
    • 19: FIN + PSH + SYN (malformed scan)
    • 27: FIN + PSH + SYN + URG (stealth scan)
    • 30: FIN + PSH + RST + SYN (Xmas variant)
    • 31: FIN + PSH + RST + SYN + URG (classic Xmas scan)
    • 63: All flags set (invalid combination)

  4. Data Source: The query analyzes data from DeviceNetworkEvents, which contains network event logs.

  5. Data Processing:

    • It extracts additional information from the AdditionalFields column, specifically the TCP flags and the direction of the traffic.
    • It filters for incoming traffic (direction has "In").
    • It determines the geographical location of the remote IP and checks if the IP is private.

  6. Filtering and Output:

    • The query projects relevant fields such as time, device name, IP addresses, ports, TCP flags, and action type.
    • It filters events to only include those with suspicious TCP flag combinations.
    • Finally, it performs a left outer join with the FlagReference table to add descriptions of the suspicious flags to the results.

In summary, this query helps identify potentially malicious network activities by flagging unusual TCP flag combinations in incoming network traffic.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

DeviceNetworkEvents

Keywords

DefenderEndpointNetworkTrafficTcpFlagsDeviceGeoIPAddress

Operators

letdatatabledynamicextendparse_jsontostringgeo_info_from_ip_addressipv4_is_privateprojectwherehashas_anylookupkind=leftouter

Actions