Rule : Possible Malware or C2 Activity
Possible Malware Activity
Query
let Lookback = 2h;
let C2Keywords = dynamic([
"c2",
"command and control",
"botnet",
"malware",
"trojan",
"ransomware",
"backdoor",
"beacon",
"dns tunneling",
"cobalt strike",
"sliver",
"meterpreter"
]);
let NetworkC2 = (
CommonSecurityLog
| where TimeGenerated >= ago(Lookback)
| extend DetectionText = strcat(Activity, " ", Message, " ", AdditionalExtensions)
| where tolower(DetectionText) has_any (C2Keywords)
| where isnotempty(SourceIP)
| where isnotempty(DestinationIP)
| where not(ipv4_is_private(DestinationIP))
| project
NetworkTime = TimeGenerated,
SourceIP,
DestinationIP,
DestinationPort,
DeviceAction,
Activity,
Message);
let SuccessfulSignins = (
SigninLogs
| where TimeGenerated >= ago(Lookback)
| where ResultType == 0
| where isnotempty(IPAddress)
| project
SigninTime = TimeGenerated,
IPAddress,
UserPrincipalName,
AppDisplayName);
let AzureActions = (
AzureActivity
| where TimeGenerated >= ago(Lookback)
| where isnotempty(CallerIpAddress)
| project
AzureActivityTime = TimeGenerated,
CallerIpAddress,
Caller,
OperationNameValue,
ActivityStatusValue);
NetworkC2
| join kind=leftouter SuccessfulSignins on $left.SourceIP == $right.IPAddress
| join kind=leftouter AzureActions on $left.SourceIP == $right.CallerIpAddress
| summarize
FirstSeen = min(NetworkTime),
LastSeen = max(NetworkTime),
DestinationIPs = make_set(DestinationIP, 20),
DestinationPorts = make_set(DestinationPort, 20),
Activities = make_set(Activity, 20),
DeviceActions = make_set(DeviceAction, 10),
Users = make_set(UserPrincipalName, 10),
SigninApps = make_set(AppDisplayName, 10),
AzureCallers = make_set(Caller, 10),
AzureOperations = make_set(OperationNameValue, 10),
NetworkEventCount = count(),
SigninCount = dcount(SigninTime),
AzureActivityCount = dcount(AzureActivityTime)
by SourceIP
| where NetworkEventCount >= 1
| extend Severity = case(
AzureActivityCount > 0, "High",
SigninCount > 0, "High",
NetworkEventCount >= 3, "Medium",
"Medium"
)
| extend AlertReason = case(
AzureActivityCount > 0,
"Possible Malware/C2 network activity from a source IP also seen in Azure activity.",
SigninCount > 0,
"Possible Malware/C2 network activity from a source IP also seen in successful sign-in logs.",
NetworkEventCount >= 3,
"Repeated Malware/C2 network indicators seen from the same source IP.",
"Malware/C2 network indicator detected."
)
| project
FirstSeen,
LastSeen,
Severity,
AlertReason,
SourceIP,
DestinationIPs,
DestinationPorts,
Activities,
DeviceActions,
Users,
SigninApps,
AzureCallers,
AzureOperations,
NetworkEventCount,
SigninCount,
AzureActivityCountAbout this query
Explanation
This query is designed to detect potential malware or command-and-control (C2) activity by analyzing network and cloud activity logs. Here's a simple breakdown of what it does:
-
Purpose: The query aims to identify suspicious network activity that might indicate a device is infected with malware or is communicating with a malicious C2 server. It specifically looks for cases where the same IP address is involved in both suspicious network activity and legitimate cloud activities, like successful sign-ins or Azure operations.
-
Detection Logic:
- It searches through security logs for keywords related to malware or C2 activity, such as "c2", "botnet", "malware", etc.
- It checks if the destination IP is external (not a private IP).
- It correlates this network activity with successful sign-in logs and Azure activity logs to see if the same source IP is involved in legitimate cloud activities.
-
Data Sources:
- CommonSecurityLog: Used to find network events with potential malware/C2 indicators.
- SigninLogs: Used to find successful sign-ins from the same source IP.
- AzureActivity: Used to find Azure operations from the same source IP.
-
Output:
- The query summarizes the findings by listing the first and last time the suspicious activity was seen, the involved IP addresses, ports, activities, and users.
- It assigns a severity level (High or Medium) based on the presence of Azure activity or sign-ins and the number of network events.
- It provides an alert reason explaining why the activity is considered suspicious.
-
MITRE ATT&CK Techniques: The query is related to techniques like Application Layer Protocol, Ingress Tool Transfer, and Dynamic Resolution, which are common in malware and C2 activities.
In essence, this query helps security teams identify potentially compromised hosts by correlating suspicious network activity with legitimate cloud activities, providing a higher confidence level in detecting threats.
Details

Ali Hussein
Released: July 2, 2026
Tables
Keywords
Operators