Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential beaconing activity ASIM Network Session schema

Back
Idfcb9d75c-c3c1-4910-8697-f136bfef2363
RulenamePotential beaconing activity (ASIM Network Session schema)
DescriptionThis rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns.

Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this Blog.

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema
SeverityLow
TacticsCommandAndControl
TechniquesT1071
T1571
Required data connectorsAIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoAsaAma
CiscoMeraki
Corelight
Fortinet
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
Zscaler
KindScheduled
Query frequency1d
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
Version1.1.6
Arm templatefcb9d75c-c3c1-4910-8697-f136bfef2363.json
Deploy To Azure
let querystarttime = 2d;
let queryendtime = 1d;
let TimeDeltaThreshold = 10;
let TotalEventsThreshold = 15;
let PercentBeaconThreshold = 80;
let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);
_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
| where not(ipv4_is_private(DstIpAddr))
| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))
| project 
    TimeGenerated
    , SrcIpAddr
    , SrcPortNumber
    , DstIpAddr
    , DstPortNumber
    , DstBytes
    , SrcBytes
| sort by 
    SrcIpAddr asc
    , TimeGenerated asc
    , DstIpAddr asc
    , DstPortNumber asc
| serialize
| extend 
    nextTimeGenerated = next(TimeGenerated, 1)
    , nextSrcIpAddr = next(SrcIpAddr, 1)
| extend 
    TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SrcIpAddr == nextSrcIpAddr
//Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold 
| project
    TimeGenerated
    , TimeDeltainSeconds
    , SrcIpAddr
    , SrcPortNumber
    , DstIpAddr
    , DstPortNumber
    , DstBytes
    , SrcBytes
| summarize
    count()
    , sum(DstBytes)
    , sum(SrcBytes)
    , make_list(TimeDeltainSeconds) 
    by TimeDeltainSeconds
        , bin(TimeGenerated, 1h)
        , SrcIpAddr
        , DstIpAddr
        , DstPortNumber
| summarize
    (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)
    , TotalEvents=sum(count_)
    , TotalSrcBytes = sum(sum_SrcBytes)
    , TotalDstBytes = sum(sum_DstBytes)
    by bin(TimeGenerated, 1h)
        , SrcIpAddr
        , DstIpAddr
        , DstPortNumber
| where TotalEvents > TotalEventsThreshold 
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
queryPeriod: 2d
version: 1.1.6
tactics:
- CommandAndControl
queryFrequency: 1d
id: fcb9d75c-c3c1-4910-8697-f136bfef2363
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
requiredDataConnectors:
- dataTypes:
  - AWSVPCFlow
  connectorId: AWSS3
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: MicrosoftSysmonForLinux
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureNSG
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoAsaAma
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
- dataTypes:
  - VectraStream
  connectorId: AIVectraStream
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
  connectorId: CiscoMeraki
severity: Low
alertDetailsOverride:
  alertDescriptionFormat: Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.
  alertDisplayNameFormat: Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DstIpAddr
    identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1071
- T1571
query: |
  let querystarttime = 2d;
  let queryendtime = 1d;
  let TimeDeltaThreshold = 10;
  let TotalEventsThreshold = 15;
  let PercentBeaconThreshold = 80;
  let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);
  _Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
  | where not(ipv4_is_private(DstIpAddr))
  | where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))
  | project 
      TimeGenerated
      , SrcIpAddr
      , SrcPortNumber
      , DstIpAddr
      , DstPortNumber
      , DstBytes
      , SrcBytes
  | sort by 
      SrcIpAddr asc
      , TimeGenerated asc
      , DstIpAddr asc
      , DstPortNumber asc
  | serialize
  | extend 
      nextTimeGenerated = next(TimeGenerated, 1)
      , nextSrcIpAddr = next(SrcIpAddr, 1)
  | extend 
      TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
  | where SrcIpAddr == nextSrcIpAddr
  //Whitelisting criteria/ threshold criteria
  | where TimeDeltainSeconds > TimeDeltaThreshold 
  | project
      TimeGenerated
      , TimeDeltainSeconds
      , SrcIpAddr
      , SrcPortNumber
      , DstIpAddr
      , DstPortNumber
      , DstBytes
      , SrcBytes
  | summarize
      count()
      , sum(DstBytes)
      , sum(SrcBytes)
      , make_list(TimeDeltainSeconds) 
      by TimeDeltainSeconds
          , bin(TimeGenerated, 1h)
          , SrcIpAddr
          , DstIpAddr
          , DstPortNumber
  | summarize
      (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)
      , TotalEvents=sum(count_)
      , TotalSrcBytes = sum(sum_SrcBytes)
      , TotalDstBytes = sum(sum_DstBytes)
      by bin(TimeGenerated, 1h)
          , SrcIpAddr
          , DstIpAddr
          , DstPortNumber
  | where TotalEvents > TotalEventsThreshold 
  | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
  | where BeaconPercent > PercentBeaconThreshold  
kind: Scheduled
name: Potential beaconing activity (ASIM Network Session schema)
customDetails:
  FrequencyCount: TotalSrcBytes
  DstPortNumber: DstPortNumber
  FrequencyTime: MostFrequentTimeDeltaCount
  TotalDstBytes: TotalDstBytes
description: |
  This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. 
  Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'  
status: Available
tags:
- ParentVersion: 1.0.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
- Schema: ASIMNetworkSession
  SchemaVersion: 0.2.4
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.",
          "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}"
        },
        "alertRuleTemplateName": "fcb9d75c-c3c1-4910-8697-f136bfef2363",
        "customDetails": {
          "DstPortNumber": "DstPortNumber",
          "FrequencyCount": "TotalSrcBytes",
          "FrequencyTime": "MostFrequentTimeDeltaCount",
          "TotalDstBytes": "TotalDstBytes"
        },
        "description": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'\n",
        "displayName": "Potential beaconing activity (ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml",
        "query": "let querystarttime = 2d;\nlet queryendtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet LocalNetworks=dynamic([\"169.254.0.0/16\",\"127.0.0.0/8\"]);\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\n| where not(ipv4_is_private(DstIpAddr))\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\n| project \n    TimeGenerated\n    , SrcIpAddr\n    , SrcPortNumber\n    , DstIpAddr\n    , DstPortNumber\n    , DstBytes\n    , SrcBytes\n| sort by \n    SrcIpAddr asc\n    , TimeGenerated asc\n    , DstIpAddr asc\n    , DstPortNumber asc\n| serialize\n| extend \n    nextTimeGenerated = next(TimeGenerated, 1)\n    , nextSrcIpAddr = next(SrcIpAddr, 1)\n| extend \n    TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)\n| where SrcIpAddr == nextSrcIpAddr\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project\n    TimeGenerated\n    , TimeDeltainSeconds\n    , SrcIpAddr\n    , SrcPortNumber\n    , DstIpAddr\n    , DstPortNumber\n    , DstBytes\n    , SrcBytes\n| summarize\n    count()\n    , sum(DstBytes)\n    , sum(SrcBytes)\n    , make_list(TimeDeltainSeconds) \n    by TimeDeltainSeconds\n        , bin(TimeGenerated, 1h)\n        , SrcIpAddr\n        , DstIpAddr\n        , DstPortNumber\n| summarize\n    (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\n    , TotalEvents=sum(count_)\n    , TotalSrcBytes = sum(sum_SrcBytes)\n    , TotalDstBytes = sum(sum_DstBytes)\n    by bin(TimeGenerated, 1h)\n        , SrcIpAddr\n        , DstIpAddr\n        , DstPortNumber\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P2D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml",
            "ParentVersion": "1.0.0"
          },
          {
            "Schema": "ASIMNetworkSession",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": [
          "T1071",
          "T1571"
        ],
        "templateVersion": "1.1.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}