Potential beaconing activity ASIM Network Session schema
Id | fcb9d75c-c3c1-4910-8697-f136bfef2363 |
Rulename | Potential beaconing activity (ASIM Network Session schema) |
Description | This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this Blog. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema |
Severity | Low |
Tactics | CommandAndControl |
Techniques | T1071 T1571 |
Required data connectors | AIVectraStream AWSS3 AzureFirewall AzureMonitor(VMInsights) AzureNSG CheckPoint CiscoASA CiscoAsaAma CiscoMeraki Corelight Fortinet MicrosoftSysmonForLinux MicrosoftThreatProtection PaloAltoNetworks SecurityEvents WindowsForwardedEvents WindowsSecurityEvents Zscaler |
Kind | Scheduled |
Query frequency | 1d |
Query period | 2d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml |
Version | 1.1.6 |
Arm template | fcb9d75c-c3c1-4910-8697-f136bfef2363.json |
let querystarttime = 2d;
let queryendtime = 1d;
let TimeDeltaThreshold = 10;
let TotalEventsThreshold = 15;
let PercentBeaconThreshold = 80;
let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);
_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
| where not(ipv4_is_private(DstIpAddr))
| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))
| project
TimeGenerated
, SrcIpAddr
, SrcPortNumber
, DstIpAddr
, DstPortNumber
, DstBytes
, SrcBytes
| sort by
SrcIpAddr asc
, TimeGenerated asc
, DstIpAddr asc
, DstPortNumber asc
| serialize
| extend
nextTimeGenerated = next(TimeGenerated, 1)
, nextSrcIpAddr = next(SrcIpAddr, 1)
| extend
TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SrcIpAddr == nextSrcIpAddr
//Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| project
TimeGenerated
, TimeDeltainSeconds
, SrcIpAddr
, SrcPortNumber
, DstIpAddr
, DstPortNumber
, DstBytes
, SrcBytes
| summarize
count()
, sum(DstBytes)
, sum(SrcBytes)
, make_list(TimeDeltainSeconds)
by TimeDeltainSeconds
, bin(TimeGenerated, 1h)
, SrcIpAddr
, DstIpAddr
, DstPortNumber
| summarize
(MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)
, TotalEvents=sum(count_)
, TotalSrcBytes = sum(sum_SrcBytes)
, TotalDstBytes = sum(sum_DstBytes)
by bin(TimeGenerated, 1h)
, SrcIpAddr
, DstIpAddr
, DstPortNumber
| where TotalEvents > TotalEventsThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
queryPeriod: 2d
version: 1.1.6
tactics:
- CommandAndControl
queryFrequency: 1d
id: fcb9d75c-c3c1-4910-8697-f136bfef2363
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
requiredDataConnectors:
- dataTypes:
- AWSVPCFlow
connectorId: AWSS3
- dataTypes:
- DeviceNetworkEvents
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- SecurityEvent
connectorId: WindowsSecurityEvents
- dataTypes:
- WindowsEvent
connectorId: WindowsForwardedEvents
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
- dataTypes:
- Syslog
connectorId: MicrosoftSysmonForLinux
- dataTypes:
- CommonSecurityLog
connectorId: PaloAltoNetworks
- dataTypes:
- VMConnection
connectorId: AzureMonitor(VMInsights)
- dataTypes:
- AzureDiagnostics
connectorId: AzureFirewall
- dataTypes:
- AzureDiagnostics
connectorId: AzureNSG
- dataTypes:
- CommonSecurityLog
connectorId: CiscoASA
- dataTypes:
- CommonSecurityLog
connectorId: CiscoAsaAma
- dataTypes:
- Corelight_CL
connectorId: Corelight
- dataTypes:
- VectraStream
connectorId: AIVectraStream
- dataTypes:
- CommonSecurityLog
connectorId: CheckPoint
- dataTypes:
- CommonSecurityLog
connectorId: Fortinet
- dataTypes:
- Syslog
- CiscoMerakiNativePoller
connectorId: CiscoMeraki
severity: Low
alertDetailsOverride:
alertDescriptionFormat: Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.
alertDisplayNameFormat: Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DstIpAddr
identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1071
- T1571
query: |
let querystarttime = 2d;
let queryendtime = 1d;
let TimeDeltaThreshold = 10;
let TotalEventsThreshold = 15;
let PercentBeaconThreshold = 80;
let LocalNetworks=dynamic(["169.254.0.0/16","127.0.0.0/8"]);
_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
| where not(ipv4_is_private(DstIpAddr))
| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))
| project
TimeGenerated
, SrcIpAddr
, SrcPortNumber
, DstIpAddr
, DstPortNumber
, DstBytes
, SrcBytes
| sort by
SrcIpAddr asc
, TimeGenerated asc
, DstIpAddr asc
, DstPortNumber asc
| serialize
| extend
nextTimeGenerated = next(TimeGenerated, 1)
, nextSrcIpAddr = next(SrcIpAddr, 1)
| extend
TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)
| where SrcIpAddr == nextSrcIpAddr
//Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold
| project
TimeGenerated
, TimeDeltainSeconds
, SrcIpAddr
, SrcPortNumber
, DstIpAddr
, DstPortNumber
, DstBytes
, SrcBytes
| summarize
count()
, sum(DstBytes)
, sum(SrcBytes)
, make_list(TimeDeltainSeconds)
by TimeDeltainSeconds
, bin(TimeGenerated, 1h)
, SrcIpAddr
, DstIpAddr
, DstPortNumber
| summarize
(MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)
, TotalEvents=sum(count_)
, TotalSrcBytes = sum(sum_SrcBytes)
, TotalDstBytes = sum(sum_DstBytes)
by bin(TimeGenerated, 1h)
, SrcIpAddr
, DstIpAddr
, DstPortNumber
| where TotalEvents > TotalEventsThreshold
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
kind: Scheduled
name: Potential beaconing activity (ASIM Network Session schema)
customDetails:
FrequencyCount: TotalSrcBytes
DstPortNumber: DstPortNumber
FrequencyTime: MostFrequentTimeDeltaCount
TotalDstBytes: TotalDstBytes
description: |
This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns.
Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
status: Available
tags:
- ParentVersion: 1.0.0
ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
- Schema: ASIMNetworkSession
SchemaVersion: 0.2.4
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.",
"alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}"
},
"alertRuleTemplateName": "fcb9d75c-c3c1-4910-8697-f136bfef2363",
"customDetails": {
"DstPortNumber": "DstPortNumber",
"FrequencyCount": "TotalSrcBytes",
"FrequencyTime": "MostFrequentTimeDeltaCount",
"TotalDstBytes": "TotalDstBytes"
},
"description": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'\n",
"displayName": "Potential beaconing activity (ASIM Network Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml",
"query": "let querystarttime = 2d;\nlet queryendtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet LocalNetworks=dynamic([\"169.254.0.0/16\",\"127.0.0.0/8\"]);\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\n| where not(ipv4_is_private(DstIpAddr))\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\n| project \n TimeGenerated\n , SrcIpAddr\n , SrcPortNumber\n , DstIpAddr\n , DstPortNumber\n , DstBytes\n , SrcBytes\n| sort by \n SrcIpAddr asc\n , TimeGenerated asc\n , DstIpAddr asc\n , DstPortNumber asc\n| serialize\n| extend \n nextTimeGenerated = next(TimeGenerated, 1)\n , nextSrcIpAddr = next(SrcIpAddr, 1)\n| extend \n TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)\n| where SrcIpAddr == nextSrcIpAddr\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project\n TimeGenerated\n , TimeDeltainSeconds\n , SrcIpAddr\n , SrcPortNumber\n , DstIpAddr\n , DstPortNumber\n , DstBytes\n , SrcBytes\n| summarize\n count()\n , sum(DstBytes)\n , sum(SrcBytes)\n , make_list(TimeDeltainSeconds) \n by TimeDeltainSeconds\n , bin(TimeGenerated, 1h)\n , SrcIpAddr\n , DstIpAddr\n , DstPortNumber\n| summarize\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\n , TotalEvents=sum(count_)\n , TotalSrcBytes = sum(sum_SrcBytes)\n , TotalDstBytes = sum(sum_DstBytes)\n by bin(TimeGenerated, 1h)\n , SrcIpAddr\n , DstIpAddr\n , DstPortNumber\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml",
"ParentVersion": "1.0.0"
},
{
"Schema": "ASIMNetworkSession",
"SchemaVersion": "0.2.4"
}
],
"techniques": [
"T1071",
"T1571"
],
"templateVersion": "1.1.6",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}