Query Details

Firewall Beaconing Detection - Regular Outbound Connections

01 CSL Beaconing Detection

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| where isnotempty(SourceIP)
| summarize
    ConnectionCount  = count(),
    BytesSent        = sum(SentBytes),
    BytesReceived    = sum(ReceivedBytes),
    HourlyBuckets    = dcount(bin(TimeGenerated, 1h)),
    Ports            = make_set(DestinationPort, 10),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SourceIP, DestinationIP, DeviceVendor
| where ConnectionCount > 20 and HourlyBuckets >= 3
| extend BeaconScore = round(toreal(ConnectionCount) / toreal(HourlyBuckets), 1)
| where BeaconScore > 5
| order by BeaconScore desc

Explanation

This query is designed to detect potential Command and Control (C2) beaconing activity by identifying internal hosts that make frequent, regular connections to the same external IP address. Here's a simplified breakdown of what the query does:

  1. Data Source: It analyzes logs from Fortinet, Palo Alto Networks, and Zscaler devices, focusing on allowed sessions (i.e., connections that were not blocked or denied).

  2. Time Frame: The query looks at data from the past 24 hours.

  3. Criteria for Detection:

    • It identifies connections where there are more than 20 interactions between an internal and an external IP.
    • These connections must span at least 3 different hourly time buckets.
    • The "Beacon Score" (average number of connections per hour) must be greater than 5.
  4. Output: The query outputs a list of internal and external IP pairs, along with details like the number of connections, data sent and received, and the calculated beacon score.

  5. Alerting: If the criteria are met, an alert is generated with a high severity level. The alert includes details about the source and destination IPs, the number of connections, and the beacon score.

  6. Incident Management: The system can automatically create incidents based on these alerts, grouping them by IP address if multiple alerts are related.

Overall, this query helps security teams identify suspicious network activity that could indicate malicious communication with external servers, often associated with malware or compromised systems.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogFortinetPaloAltoNetworksZscalerSourceIPDestinationIPDeviceVendorConnectionCountBytesSentBytesReceivedHourlyBucketsPortsTimeGeneratedBeaconScore

Operators

ago()in()!in()isnotempty()ipv4_is_private()summarizecount()sum()dcount()bin()make_set()min()max()extendround()toreal()order by

Severity

High

Tactics

CommandAndControl

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub