Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential beaconing activity (ASIM Network Session schema)

Back
Idfcb9d75c-c3c1-4910-8697-f136bfef2363
RulenamePotential beaconing activity (ASIM Network Session schema)
DescriptionThis rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this Blog.\<br><br>

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema
SeverityLow
TacticsCommandAndControl
TechniquesT1071
T1571
Required data connectorsAIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoMeraki
Corelight
Fortinet
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1d
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
Version1.1.2
Arm templatefcb9d75c-c3c1-4910-8697-f136bfef2363.json
Deploy To Azure
let querystarttime = 2d;
let queryendtime = 1d;
let TimeDeltaThreshold = 10;
let TotalEventsThreshold = 15;
let PercentBeaconThreshold = 80;
_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
| where not(ipv4_is_private(DstIpAddr))
| project TimeGenerated,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc
| serialize
| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)
| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)
| where SrcIpAddr == nextSrcIpAddr
//Whitelisting criteria/ threshold criteria
| where TimeDeltainSeconds > TimeDeltaThreshold 
| project TimeGenerated, TimeDeltainSeconds,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) 
by TimeDeltainSeconds, bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber
| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) 
by bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber
| where TotalEvents > TotalEventsThreshold 
| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
| where BeaconPercent > PercentBeaconThreshold
severity: Low
triggerThreshold: 0
query: |
  let querystarttime = 2d;
  let queryendtime = 1d;
  let TimeDeltaThreshold = 10;
  let TotalEventsThreshold = 15;
  let PercentBeaconThreshold = 80;
  _Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))
  | where not(ipv4_is_private(DstIpAddr))
  | project TimeGenerated,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
  | sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc
  | serialize
  | extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)
  | extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)
  | where SrcIpAddr == nextSrcIpAddr
  //Whitelisting criteria/ threshold criteria
  | where TimeDeltainSeconds > TimeDeltaThreshold 
  | project TimeGenerated, TimeDeltainSeconds,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
  | summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) 
  by TimeDeltainSeconds, bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber
  | summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) 
  by bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber
  | where TotalEvents > TotalEventsThreshold 
  | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
  | where BeaconPercent > PercentBeaconThreshold  
customDetails:
  TotalDstBytes: TotalDstBytes
  DstPortNumber: DstPortNumber
  FrequencyTime: MostFrequentTimeDeltaCount
  FrequencyCount: TotalSrcBytes
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AWSS3
  dataTypes:
  - AWSVPCFlow
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: AzureNSG
  dataTypes:
  - AzureDiagnostics
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoMeraki
  dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
id: fcb9d75c-c3c1-4910-8697-f136bfef2363
version: 1.1.2
name: Potential beaconing activity (ASIM Network Session schema)
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
queryPeriod: 2d
alertDetailsOverride:
  alertDescriptionFormat: Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.
  alertDisplayNameFormat: Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}
relevantTechniques:
- T1071
- T1571
triggerOperator: gt
tactics:
- CommandAndControl
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml
  ParentVersion: 1.0.0
- Schema: ASIMNetworkSession
  SchemaVersion: 0.2.4
description: |
  This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\<br><br>
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'  
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Potential beaconing activity (ASIM Network Session schema)",
        "description": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\<br><br>\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let querystarttime = 2d;\nlet queryendtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\n| where not(ipv4_is_private(DstIpAddr))\n| project TimeGenerated,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SrcIpAddr == nextSrcIpAddr\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds,   SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \nby bin(TimeGenerated, 1h),   SrcIpAddr, DstIpAddr, DstPortNumber\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P2D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071",
          "T1571"
        ],
        "alertRuleTemplateName": "fcb9d75c-c3c1-4910-8697-f136bfef2363",
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.",
          "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}"
        },
        "customDetails": {
          "FrequencyCount": "TotalSrcBytes",
          "DstPortNumber": "DstPortNumber",
          "FrequencyTime": "MostFrequentTimeDeltaCount",
          "TotalDstBytes": "TotalDstBytes"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          {
            "ParentVersion": "1.0.0",
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml"
          },
          {
            "Schema": "ASIMNetworkSession",
            "SchemaVersion": "0.2.4"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml",
        "templateVersion": "1.1.2",
        "status": "Available"
      }
    }
  ]
}