Palo Alto - potential beaconing detected
| Id | 2f8522fc-7807-4f0a-b53d-458296edab8d |
| Rulename | Palo Alto - potential beaconing detected |
| Description | Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns. Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 |
| Severity | Low |
| Tactics | CommandAndControl |
| Techniques | T1071 T1571 |
| Required data connectors | CloudNgfwByPAN |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-PotentialBeaconing.yaml |
| Version | 1.0.2 |
| Arm template | 2f8522fc-7807-4f0a-b53d-458296edab8d.json |
let starttime = 2d;
let endtime = 1d;
let TimeDeltaThreshold = 25;
let TotalEventsThreshold = 30;
let MostFrequentTimeDeltaThreshold = 25;
let PercentBeaconThreshold = 80;
fluentbit_CL
| where isnotempty(FirewallName_s) and ident_s == "TRAFFIC"
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| extend DestinationIP = extractjson("$.dst_ip", Message)
| where ipv4_is_private(DestinationIP) == false
| project TimeGenerated, FirewallName_s, SourceIP=extractjson("$.src_ip", Message), SourcePort=extractjson("$.sport", Message), DestinationIP, DestinationPort=extractjson("$.dport", Message), ReceivedBytes=tolong(extractjson("$.bytes_recv", Message)), SentBytes=tolong(extractjson("$.bytes_sent", Message))
| sort by SourceIP asc, TimeGenerated asc, DestinationIP asc, DestinationPort asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)
| extend TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SourceIP == nextSourceIP
// Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| summarize count(), sum(ReceivedBytes), sum(SentBytes)
by TimeDeltainSeconds, bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)
by bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, HostCustomEntity = FirewallName_s
relevantTechniques:
- T1071
- T1571
name: Palo Alto - potential beaconing detected
requiredDataConnectors:
- dataTypes:
- fluentbit_CL
connectorId: CloudNgfwByPAN
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
triggerThreshold: 0
id: 2f8522fc-7807-4f0a-b53d-458296edab8d
tactics:
- CommandAndControl
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-PotentialBeaconing.yaml
queryPeriod: 2d
kind: Scheduled
queryFrequency: 1d
severity: Low
status: Available
description: |
'Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.
Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
query: |
let starttime = 2d;
let endtime = 1d;
let TimeDeltaThreshold = 25;
let TotalEventsThreshold = 30;
let MostFrequentTimeDeltaThreshold = 25;
let PercentBeaconThreshold = 80;
fluentbit_CL
| where isnotempty(FirewallName_s) and ident_s == "TRAFFIC"
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| extend DestinationIP = extractjson("$.dst_ip", Message)
| where ipv4_is_private(DestinationIP) == false
| project TimeGenerated, FirewallName_s, SourceIP=extractjson("$.src_ip", Message), SourcePort=extractjson("$.sport", Message), DestinationIP, DestinationPort=extractjson("$.dport", Message), ReceivedBytes=tolong(extractjson("$.bytes_recv", Message)), SentBytes=tolong(extractjson("$.bytes_sent", Message))
| sort by SourceIP asc, TimeGenerated asc, DestinationIP asc, DestinationPort asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)
| extend TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SourceIP == nextSourceIP
// Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| summarize count(), sum(ReceivedBytes), sum(SentBytes)
by TimeDeltainSeconds, bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)
by bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort
| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, HostCustomEntity = FirewallName_s
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f8522fc-7807-4f0a-b53d-458296edab8d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f8522fc-7807-4f0a-b53d-458296edab8d')]",
"properties": {
"alertRuleTemplateName": "2f8522fc-7807-4f0a-b53d-458296edab8d",
"customDetails": null,
"description": "'Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'\n",
"displayName": "Palo Alto - potential beaconing detected",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-PotentialBeaconing.yaml",
"query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nfluentbit_CL\n| where isnotempty(FirewallName_s) and ident_s == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DestinationIP = extractjson(\"$.dst_ip\", Message)\n| where ipv4_is_private(DestinationIP) == false\n| project TimeGenerated, FirewallName_s, SourceIP=extractjson(\"$.src_ip\", Message), SourcePort=extractjson(\"$.sport\", Message), DestinationIP, DestinationPort=extractjson(\"$.dport\", Message), ReceivedBytes=tolong(extractjson(\"$.bytes_recv\", Message)), SentBytes=tolong(extractjson(\"$.bytes_sent\", Message))\n| sort by SourceIP asc, TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)\n| where SourceIP == nextSourceIP\n// Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), FirewallName_s, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, HostCustomEntity = FirewallName_s\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071",
"T1571"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}