KQL Search

Query Details

HomeAI ToolsDevice Query

Potential Threats Or Network Anomalies Related To ICMP Inbound Connections

Query

**Potential Threats or network anomalies related to ICMP Inbound Connections**

**Description**: Digging through the network logs and checking out data related to the ICMP protocol, which is often used by devices like routers to send error messages and operational info. It also handles stuff like Ping, Traceroute, and more.
With that in mind, I researched potential threats and cooked up a KQL query. This one spots inbound connection attempts that could be tied to ICMP Tunneling, DDoS, or ICMP Flood Attacks, where the source sends a bunch of ICMP requests (orig_bytes), but the target doesn’t really respond (resp_bytes is super low or zero).

```
DeviceNetworkEvents
| extend Source_IP_Country = tostring(geo_info_from_ip_address(LocalIP).country),
 Destination_IP_Country = tostring(geo_info_from_ip_address(RemoteIP).country),
 Direction = tostring(parse_json(AdditionalFields).direction), 
 orig_bytes = toint(parse_json(AdditionalFields).orig_bytes),
 resp_bytes = toint(parse_json(AdditionalFields).resp_bytes),
 duration = todouble(parse_json(AdditionalFields).duration)
// filtering by Inbound connections attempts where the IP is reported and there are difference between the received and the responded bytes
| where Direction has "In" and isnotempty(Source_IP_Country) and isnotempty(Destination_IP_Country) and resp_bytes != orig_bytes
| extend difference= abs(orig_bytes - resp_bytes)
| summarize by Source_IP_connection=LocalIP,Source_IP_Country, Destination_IP=RemoteIP, Destination_IP_Country,orig_bytes,resp_bytes,difference, Protocol, ActionType, duration, Direction
| order by duration
```

Explanation

This KQL (Kusto Query Language) query is designed to identify potential network threats or anomalies related to ICMP (Internet Control Message Protocol) inbound connections. Here's a simplified summary:

  1. Purpose: The query aims to detect suspicious inbound ICMP traffic, which could indicate malicious activities like ICMP Tunneling, DDoS (Distributed Denial of Service) attacks, or ICMP Flood attacks.

  2. Data Source: It analyzes network logs from DeviceNetworkEvents.

  3. Key Operations:

    • Extract Information: It extracts and extends various fields such as the source and destination IP countries, the direction of the traffic, the original bytes sent, the response bytes received, and the duration of the connection.
    • Filter Criteria: It filters for inbound connections where:
      • The source and destination IP countries are known.
      • There is a significant difference between the bytes sent by the source (orig_bytes) and the bytes responded by the destination (resp_bytes).
    • Calculate Difference: It calculates the absolute difference between the original bytes and the response bytes.
    • Summarize and Order: It summarizes the data by grouping relevant fields and orders the results by the duration of the connection.

  4. Outcome: The query outputs a list of inbound ICMP connections where there is a notable discrepancy between the bytes sent and received, which could be indicative of potential threats or anomalies.

In essence, this query helps in identifying unusual ICMP traffic patterns that might signify network attacks or misuse.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 9, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsICMPInboundConnectionsThreatsAnomaliesRoutersErrorMessagesOperationalInfoPingTracerouteICMPTunnelingDDoSICMPFloodAttacksSourceBytesTargetRespondBytes

Operators

extendtostringgeo_info_from_ip_addressparse_jsontointtodoublewherehasisnotempty!=abssummarizebyorder by

Actions