Query Details

Potential Beaconing Activity

Query

let DeviceThreshold = 5;
let ConnectionThreshold = 25;
let GlobalPrevalanceThreshold = 250;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where not(ipv4_is_private(RemoteIP))
| where ActionType == 'ConnectionSuccessAggregatedReport'
| extend Connections = toint(parse_json(AdditionalFields).uniqueEventsAggregated)
| summarize Total = count(), Devices = dcount(DeviceId), Domains = make_set(RemoteUrl), AvgConnections = avg(Connections) by RemoteIP, bin(TimeGenerated, 1d)
| where AvgConnections >= ConnectionThreshold and Devices <= DeviceThreshold
| join kind=inner (DeviceNetworkEvents
    | where ActionType == 'ConnectionSuccess'
    | distinct RemoteIP, InitiatingProcessSHA256) on RemoteIP
    | invoke FileProfile(InitiatingProcessSHA256)
    | where GlobalPrevalence <= GlobalPrevalanceThreshold

About this query

Explanation

This query is designed to detect potential malicious activity, specifically Command & Control (C2) beaconing, by analyzing network connections. Here's a simplified breakdown:

  1. Objective: The query aims to identify suspicious remote IP addresses that might be involved in C2 communication. This is done by looking for IPs that receive a high number of connections from a small number of devices, which is a common pattern in malware communication.

  2. Process:

    • Data Source: It examines network events from the past 7 days.
    • Filtering: It excludes private IP addresses and focuses on successful connection reports.
    • Aggregation: It calculates the average number of connections to each remote IP and counts how many different devices are connecting to it.
    • Thresholds: It flags IPs with an average of at least 25 connections from 5 or fewer devices.
    • Enrichment: It checks the processes initiating these connections against a global database to see how common they are. Processes with low global prevalence are more suspicious.
  3. Risk: Detecting beaconing is crucial because it indicates that an attacker might be maintaining a connection to a compromised device, potentially to issue commands or steal data. Early detection can help mitigate the threat.

  4. Tools: The query is compatible with both Defender XDR and Sentinel, two security platforms.

In essence, this query helps security teams identify potential threats by spotting unusual network behavior that could indicate malware communication.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 9, 2026

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

letwherenotextendtointparse_jsonsummarizecountdcountmake_setavgbinjoinkind=innerdistinctinvoke

MITRE Techniques

Actions

GitHub