Firewall Allowed Traffic to High-Risk Country
05 CSL High Risk Country Traffic
Query
let HighRiskCountries = dynamic([
"China", "Russia", "North Korea", "Iran", "Syria",
"Cuba", "Belarus", "Venezuela", "Afghanistan", "Libya"]);
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(DestinationIP)
| where ipv4_is_private(DestinationIP) == false
| extend DestCountry = tostring(geo_info_from_ip_address(DestinationIP).country)
| where DestCountry in (HighRiskCountries)
| summarize
ConnectionCount = count(),
BytesSent = sum(SentBytes),
InternalIPs = make_set(SourceIP, 20),
ExternalIPs = make_set(DestinationIP, 20),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
RepresentativeIP = any(SourceIP)
by DestCountry, DeviceVendor
| order by ConnectionCount descExplanation
This query is designed to detect and alert on allowed firewall traffic to or from countries that are often associated with nation-state threat actors and advanced persistent threat (APT) groups. The countries of interest include China, Russia, North Korea, Iran, Syria, Cuba, Belarus, Venezuela, Afghanistan, and Libya.
Here's a simplified breakdown of what the query does:
-
Data Source: It uses data from the "CommonSecurityLog" provided by security devices from vendors like Fortinet, Palo Alto Networks, and Zscaler.
-
Time Frame: The query looks at logs from the past day (24 hours).
-
Traffic Filtering: It filters out any traffic that was denied, blocked, or dropped by the firewall, focusing only on allowed traffic.
-
IP Address Check: It ensures that the destination IP addresses are not private (i.e., they are public IPs).
-
Country Identification: It determines the destination country of the traffic using the IP address and checks if it matches any of the high-risk countries listed.
-
Summarization: For each high-risk country and device vendor, it summarizes the data by counting the number of connections, the total bytes sent, and lists up to 20 internal and external IP addresses involved. It also records the first and last time the traffic was seen and identifies a representative internal IP address.
-
Alerting: If any connections are found, it triggers an alert with details about the number of connections and the destination country. The alert suggests reviewing the traffic for potential command and control (C2) channels or data exfiltration.
-
Incident Management: The query is set to create an incident if such traffic is detected, with specific configurations for grouping and managing these incidents.
Overall, this query helps security teams monitor and respond to potentially suspicious network activity involving high-risk countries, which could indicate unauthorized access or data breaches.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 1h
Period: 1d