Palo Alto - potential beaconing detected
| Id | 2f8522fc-7807-4f0a-b53d-458296edab8d |
| Rulename | Palo Alto - potential beaconing detected |
| Description | Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns. Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 |
| Severity | Low |
| Tactics | CommandAndControl |
| Techniques | T1071 T1571 |
| Required data connectors | CloudNgfwByPAN |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-PotentialBeaconing.yaml |
| Version | 1.0.2 |
| Arm template | 2f8522fc-7807-4f0a-b53d-458296edab8d.json |
let starttime = 2d;
let endtime = 1d;
let TimeDeltaThreshold = 25;
let TotalEventsThreshold = 30;
let MostFrequentTimeDeltaThreshold = 25;
let PercentBeaconThreshold = 80;
fluentbit_CL
| where isnotempty(FirewallName_s) and ident_s == "TRAFFIC"
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| extend DestinationIP = extractjson("$.dst_ip", Message)
| where ipv4_is_private(DestinationIP) == false
| project TimeGenerated, FirewallName_s, SourceIP=extractjson("$.src_ip", Message), SourcePort=extractjson("$.sport", Message), DestinationIP, DestinationPort=extractjson("$.dport", Message), ReceivedBytes=tolong(extractjson("$.bytes_recv", Message)), SentBytes=tolong(extractjson("$.bytes_sent", Message))
| sort by SourceIP asc, TimeGenerated asc, DestinationIP asc, DestinationPort asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)
| extend TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SourceIP == nextSourceIP
// Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| summarize count(), sum(ReceivedBytes), sum(SentBytes)
by TimeDeltainSeconds, bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)
by bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, HostCustomEntity = FirewallName_s
description: |
'Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.
Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
query: |
let starttime = 2d;
let endtime = 1d;
let TimeDeltaThreshold = 25;
let TotalEventsThreshold = 30;
let MostFrequentTimeDeltaThreshold = 25;
let PercentBeaconThreshold = 80;
fluentbit_CL
| where isnotempty(FirewallName_s) and ident_s == "TRAFFIC"
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| extend DestinationIP = extractjson("$.dst_ip", Message)
| where ipv4_is_private(DestinationIP) == false
| project TimeGenerated, FirewallName_s, SourceIP=extractjson("$.src_ip", Message), SourcePort=extractjson("$.sport", Message), DestinationIP, DestinationPort=extractjson("$.dport", Message), ReceivedBytes=tolong(extractjson("$.bytes_recv", Message)), SentBytes=tolong(extractjson("$.bytes_sent", Message))
| sort by SourceIP asc, TimeGenerated asc, DestinationIP asc, DestinationPort asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)
| extend TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SourceIP == nextSourceIP
// Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| summarize count(), sum(ReceivedBytes), sum(SentBytes)
by TimeDeltainSeconds, bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)
by bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, HostCustomEntity = FirewallName_s
entityMappings:
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
requiredDataConnectors:
- connectorId: CloudNgfwByPAN
dataTypes:
- fluentbit_CL
status: Available
triggerThreshold: 0
tactics:
- CommandAndControl
queryPeriod: 2d
triggerOperator: gt
id: 2f8522fc-7807-4f0a-b53d-458296edab8d
relevantTechniques:
- T1071
- T1571
severity: Low
name: Palo Alto - potential beaconing detected
kind: Scheduled
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-PotentialBeaconing.yaml
version: 1.0.2